File name:

sysvolume.zip

Full analysis: https://app.any.run/tasks/76612c0a-4f8f-40f0-a66e-c6e6040d67fe
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: September 04, 2025, 18:48:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
zephyr
miner
xmrig
winring0-sys
vuln-driver
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

548BA7195A9CF77AB884B0AAD1ED956D

SHA1:

02655DE86885F1E6510B7A65FB49FC04B32B4F96

SHA256:

4EE58C6DF4C410403B134503DD046947E8B8D3C2F0F43DCEB3C42E2BB09C4B28

SSDEEP:

98304:TxHZCeSQeG2yruX6wcpc6x7mCgq1E2IaUQF6Y+Zf+++tCBcxa49vJF4LladqCC6q:kUXtXaZSfnbTgvwE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6340)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1380)
      • printui.exe (PID: 3840)
      • cmd.exe (PID: 3392)
      • printui.exe (PID: 4512)
      • svchost.exe (PID: 1148)
      • cmd.exe (PID: 3572)
      • printui.exe (PID: 5504)

    • Changes Windows Defender settings

      • cmd.exe (PID: 1380)
      • printui.exe (PID: 3840)
      • cmd.exe (PID: 3392)
      • printui.exe (PID: 4512)
      • svchost.exe (PID: 1148)
      • cmd.exe (PID: 3572)
      • printui.exe (PID: 5504)

    • ZEPHYR has been detected

      • xcopy.exe (PID: 6344)
      • cmd.exe (PID: 1380)
      • xcopy.exe (PID: 4084)
      • cmd.exe (PID: 3392)
      • xcopy.exe (PID: 4224)
      • cmd.exe (PID: 3572)

    • Starts CMD.EXE for self-deleting

      • svcinsty64.exe (PID: 5772)
      • svcinsty64.exe (PID: 6140)
      • svcinsty64.exe (PID: 7096)

    • Creates or modifies Windows services

      • svctrl64.exe (PID: 516)

    • Scans artifacts that could help determine the target

      • MSACCESS.EXE (PID: 1388)

    • XMRig has been detected

      • u408444.exe (PID: 4692)

    • Vulnerable driver has been detected

      • svchost.exe (PID: 1148)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2200)
      • u408444.exe (PID: 4692)

    • Connects to the CnC server

      • u408444.exe (PID: 4692)

    • XMRIG has been detected (YARA)

      • u408444.exe (PID: 4692)

  • SUSPICIOUS

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 1964)
      • powershell.exe (PID: 5724)
      • powershell.exe (PID: 3964)

    • Process copies executable file

      • cmd.exe (PID: 1380)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3572)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1380)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 4768)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 6344)
      • xcopy.exe (PID: 7048)
      • printui.exe (PID: 3840)
      • cmd.exe (PID: 1380)
      • svcinsty64.exe (PID: 5772)
      • svctrl64.exe (PID: 516)
      • xcopy.exe (PID: 4084)
      • xcopy.exe (PID: 2348)
      • cmd.exe (PID: 3392)
      • printui.exe (PID: 4512)
      • svchost.exe (PID: 1148)
      • xcopy.exe (PID: 6428)
      • xcopy.exe (PID: 4224)
      • cmd.exe (PID: 3572)
      • printui.exe (PID: 5504)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1380)
      • printui.exe (PID: 3840)
      • cmd.exe (PID: 3392)
      • printui.exe (PID: 4512)
      • svchost.exe (PID: 1148)
      • cmd.exe (PID: 3572)
      • printui.exe (PID: 5504)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1380)
      • printui.exe (PID: 3840)
      • printui.exe (PID: 4512)
      • svchost.exe (PID: 1148)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3572)
      • printui.exe (PID: 5504)

    • Starts CMD.EXE for commands execution

      • svcinsty64.exe (PID: 5772)
      • wscript.exe (PID: 2028)
      • svcinsty64.exe (PID: 6140)
      • svcinsty64.exe (PID: 7096)
      • wscript.exe (PID: 1568)

    • The process deletes folder without confirmation

      • svcinsty64.exe (PID: 5772)
      • svcinsty64.exe (PID: 6140)
      • svcinsty64.exe (PID: 7096)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 5884)
      • cmd.exe (PID: 516)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 4684)
      • wscript.exe (PID: 2028)
      • wscript.exe (PID: 5496)
      • wscript.exe (PID: 1568)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4684)
      • wscript.exe (PID: 2028)
      • wscript.exe (PID: 5496)
      • wscript.exe (PID: 1568)

    • Application launched itself

      • wscript.exe (PID: 4684)
      • wscript.exe (PID: 5496)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2028)
      • wscript.exe (PID: 1568)

    • The process executes VB scripts

      • wscript.exe (PID: 4684)
      • wscript.exe (PID: 5496)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2028)
      • wscript.exe (PID: 1568)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 2028)
      • wscript.exe (PID: 1568)

    • Reads security settings of Internet Explorer

      • MSACCESS.EXE (PID: 1388)

    • There is functionality for taking screenshot (YARA)

      • printui.exe (PID: 4512)

    • Reads the date of Windows installation

      • MSACCESS.EXE (PID: 1388)

    • Detected use of alternative data streams (AltDS)

      • ONENOTE.EXE (PID: 5436)

    • Drops a system driver (possible attempt to evade defenses)

      • svchost.exe (PID: 1148)

    • Connects to unusual port

      • svchost.exe (PID: 1148)
      • u408444.exe (PID: 4692)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2200)
      • u408444.exe (PID: 4692)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • svchost.exe (PID: 1148)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1380)
      • notepad++.exe (PID: 2612)
      • notepad.exe (PID: 2460)
      • wscript.exe (PID: 4684)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 888)
      • wscript.exe (PID: 5496)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6340)

    • Checks supported languages

      • chcp.com (PID: 3584)
      • svcinsty64.exe (PID: 5772)
      • printui.exe (PID: 3840)
      • svctrl64.exe (PID: 516)
      • chcp.com (PID: 4844)
      • printui.exe (PID: 4512)
      • MSACCESS.EXE (PID: 1388)
      • svcinsty64.exe (PID: 6140)
      • u408444.exe (PID: 4692)
      • chcp.com (PID: 4412)
      • chcp.com (PID: 1180)
      • svcinsty64.exe (PID: 7096)
      • printui.exe (PID: 5504)
      • chcp.com (PID: 892)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4540)
      • notepad.exe (PID: 2460)
      • explorer.exe (PID: 2280)
      • explorer.exe (PID: 1132)
      • explorer.exe (PID: 4104)
      • explorer.exe (PID: 440)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1964)
      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 5724)
      • powershell.exe (PID: 3960)
      • powershell.exe (PID: 2276)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 1180)
      • powershell.exe (PID: 3964)
      • powershell.exe (PID: 7028)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1380)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 4768)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1964)
      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 5724)
      • powershell.exe (PID: 3960)
      • powershell.exe (PID: 2276)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 1180)
      • powershell.exe (PID: 3964)
      • powershell.exe (PID: 7028)

    • The sample compiled with english language support

      • xcopy.exe (PID: 6344)
      • xcopy.exe (PID: 4084)
      • xcopy.exe (PID: 4224)

    • Reads the computer name

      • svcinsty64.exe (PID: 5772)
      • svctrl64.exe (PID: 516)
      • MSACCESS.EXE (PID: 1388)
      • svcinsty64.exe (PID: 6140)
      • u408444.exe (PID: 4692)
      • svcinsty64.exe (PID: 7096)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4540)
      • explorer.exe (PID: 2280)
      • MSACCESS.EXE (PID: 1388)
      • explorer.exe (PID: 440)

    • Reads the machine GUID from the registry

      • MSACCESS.EXE (PID: 1388)

    • Reads product name

      • MSACCESS.EXE (PID: 1388)

    • Reads CPU info

      • MSACCESS.EXE (PID: 1388)

    • Checks proxy server information

      • MSACCESS.EXE (PID: 1388)
      • slui.exe (PID: 2808)

    • Reads the software policy settings

      • MSACCESS.EXE (PID: 1388)
      • slui.exe (PID: 2808)

    • Reads Environment values

      • MSACCESS.EXE (PID: 1388)

    • Create files in a temporary directory

      • MSACCESS.EXE (PID: 1388)

    • Process checks computer location settings

      • MSACCESS.EXE (PID: 1388)

    • Creates files or folders in the user directory

      • MSACCESS.EXE (PID: 1388)

    • The sample compiled with japanese language support

      • svchost.exe (PID: 1148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:08:31 20:47:34
ZipCRC: 0xc512fda6
ZipCompressedSize: 7975264
ZipUncompressedSize: 12852224
ZipFileName: sysvolume/u403585.dat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
89
Malicious processes
18
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs notepad++.exe notepad.exe no specs #ZEPHYR cmd.exe conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs powershell.exe no specs #ZEPHYR xcopy.exe xcopy.exe printui.exe no specs printui.exe no specs printui.exe slui.exe powershell.exe no specs conhost.exe no specs svcinsty64.exe svctrl64.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs winword.exe ai.exe no specs wscript.exe no specs wscript.exe #ZEPHYR cmd.exe conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs powershell.exe no specs #ZEPHYR xcopy.exe xcopy.exe printui.exe msaccess.exe powershell.exe no specs conhost.exe no specs svcinsty64.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs onenote.exe #MINER u408444.exe conhost.exe no specs #MINER svchost.exe THREAT svchost.exe #ZEPHYR cmd.exe conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs powershell.exe no specs #ZEPHYR xcopy.exe xcopy.exe printui.exe no specs printui.exe no specs printui.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs explorer.exe no specs svcinsty64.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs explorer.exe no specs wscript.exe no specs wscript.exe cmd.exe no specs conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs winword.exe ai.exe no specs winword.exe ai.exe no specs winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
516"C:\Windows\System32\svctrl64.exe"C:\Windows\System32\svctrl64.exe
svcinsty64.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\svctrl64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
516cmd.exe /c timeout /t 5 /nobreak && del /q "C:\WINDOWS\System32\svcinsty64.exe" && rmdir /s /q "C:\Windows \"C:\Windows\System32\cmd.exesvcinsty64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
592timeout /t 5 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\u655472.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
892chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1056"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Documents\comeschildren.rtf" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1132C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1148C:\Windows\System32\svchost.exe -k DcomLaunchC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\u852981.dll
c:\windows\system32\ws2_32.dll
Total events
186 386
Read events
184 207
Write events
1 964
Delete events
215

Modification events

(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sysvolume.zip
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
21
Suspicious files
104
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
2612notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:312281C4126FA897EF21A7E8CCB8D495
SHA256:53B4BE3ED1CFD712E53542B30CFE30C5DB35CC48BE7C57727DFEC26C9E882E90
2612notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
6340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6340.36548\sysvolume\u809061.vbstext
MD5:D1A372DD85AD979BCC46C8C5439945CF
SHA256:832F33C308D4A8E27681B3D1EDBE017E679622340528AA2510996753C3EFD1BD
2612notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:FE22EC5755BC98988F9656F73B2E6FB8
SHA256:F972C425CE176E960F6347F1CA2F64A8CE2B95A375C33A03E57538052BA0624D
6340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6340.36548\sysvolume\u579450.binbinary
MD5:37819CDF5BC9869BE43D65247C5AA46A
SHA256:1F2F35E13CFB950FE0799E39EE50C2A92A3EB197FCFF6E61530A242EE4F7180E
6340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6340.36548\sysvolume\u403585.datexecutable
MD5:EADBCD49DDA980A5557C4D37F3CE5FB9
SHA256:58B44974AE04C61E11D0DD5964F04000E9AFDA4BB332E7C9A74D33D5CD52B727
6340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6340.36548\sysvolume\u655472.battext
MD5:3811CE4D75E7679C96E7C4EBBB544BDD
SHA256:C59360C402B0BA0852A58D522B888DEC24DB45B6D61D495E75C84CD1B17B0863
7048xcopy.exeC:\Windows \System32\u403585.datexecutable
MD5:EADBCD49DDA980A5557C4D37F3CE5FB9
SHA256:58B44974AE04C61E11D0DD5964F04000E9AFDA4BB332E7C9A74D33D5CD52B727
3840printui.exeC:\Windows\System32\svcinsty64.exeexecutable
MD5:007F90C7D79C928BC01E8231A66A5FD2
SHA256:3C8972E99EAD4BF76CE452B1B44E49FF3AEFC00A479352079B7810A472F2C72F
1380cmd.exeC:\Windows \System32\printui.dllexecutable
MD5:EADBCD49DDA980A5557C4D37F3CE5FB9
SHA256:58B44974AE04C61E11D0DD5964F04000E9AFDA4BB332E7C9A74D33D5CD52B727
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
60
DNS requests
44
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
DE
binary
471 b
whitelisted
1268
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
1056
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
DE
binary
471 b
whitelisted
1324
SIHClient.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
1148
svchost.exe
GET
200
2.58.56.13:80
http://2.58.56.13/utl/xmr.dat
NL
binary
6.16 Mb
unknown
1388
MSACCESS.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
US
binary
471 b
whitelisted
2940
svchost.exe
GET
200
72.246.169.163:80
http://x1.c.lencr.org/
DE
binary
734 b
whitelisted
1148
svchost.exe
GET
200
2.58.56.13:80
http://2.58.56.13/utl/xmrsys.dat
NL
binary
14.4 Kb
unknown
1148
svchost.exe
GET
200
2.58.56.13:80
http://2.58.56.13/inf.dat
NL
binary
12.2 Mb
unknown
764
lsass.exe
GET
200
104.18.20.213:80
http://r10.c.lencr.org/81.crl
unknown
binary
142 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
684
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6216
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6216
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 72.246.29.11
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.64
  • 20.190.159.129
  • 40.126.31.1
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.75
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 13.89.179.13
  • 13.89.179.8
  • 20.189.173.1
  • 13.89.179.14
  • 20.52.64.201
  • 51.104.15.253
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potential Corporate Privacy Violation
ET INFO Observed DNS Query to Coin Mining Domain (nanopool .org)
4692
u408444.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
1148
svchost.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
1148
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
4692
u408444.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sysvolume.zip