File name:

WinRAR-Activator-main.zip

Full analysis: https://app.any.run/tasks/a3114bf1-35bc-49f8-bd9d-c1f50cfacf32
Verdict: Malicious activity
Analysis date: June 18, 2025, 20:40:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

05D031AE577D8E4D707E90E7FC388AC6

SHA1:

33B1FA0975619A8626AF5D99CBDDE9F01169FDFE

SHA256:

4F041E2AE9FC60A28CA8A3887A182000C9F671900351DED9818EE85C7D8B8041

SSDEEP:

384:WvaUISEGbW2QqA/N92gHkZIWUZtbFXbC87ArkmzvMSM:8ISEGM/zEZIWUZtbFXbpo1z6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 3780)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1688)

  • SUSPICIOUS

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 7092)

    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 3836)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3836)
      • WinRAR.exe (PID: 3644)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 7092)

    • Reads Internet Explorer settings

      • WinRAR.exe (PID: 3836)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1688)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 1688)
      • wscript.exe (PID: 6344)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1688)
      • wscript.exe (PID: 6344)

    • The process executes VB scripts

      • cmd.exe (PID: 3048)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6344)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 4968)
      • powershell.exe (PID: 1688)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6180)
      • mode.com (PID: 5908)

    • Checks proxy server information

      • WinRAR.exe (PID: 3836)
      • powershell.exe (PID: 1688)
      • WinRAR.exe (PID: 3644)

    • Checks supported languages

      • mode.com (PID: 6180)
      • mode.com (PID: 5908)

    • Creates files in the program directory

      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 7092)

    • Reads the software policy settings

      • WinRAR.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:04:02 10:08:36
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: WinRAR-Activator-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
34
Malicious processes
1
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs cmd.exe conhost.exe no specs net.exe no specs net1.exe no specs mode.com no specs winrar.exe timeout.exe no specs taskkill.exe no specs winrar.exe no specs timeout.exe no specs taskkill.exe no specs timeout.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs net.exe no specs net1.exe no specs mode.com no specs winrar.exe timeout.exe no specs taskkill.exe no specs winrar.exe no specs timeout.exe no specs taskkill.exe no specs timeout.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\Program Files\WinRAR\WinRAR.exe" C:\Program Files\WinRAR\WinRAR.execmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
1
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1100NET FILE C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mpr.dll
1508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1688"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass "C:\Users\admin\Desktop\WinRAR-Activator-main\WRA.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2032C:\WINDOWS\system32\net1 FILE C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\dsrole.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2220taskkill /f /im WinRAR.exe /tC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2292timeout /t 3 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2388timeout /t 3 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2808taskkill /f /im WinRAR.exe /tC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
17 450
Read events
17 429
Write events
21
Delete events
0

Modification events

(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WinRAR-Activator-main.zip
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3780) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3836) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Misc
Operation:writeName:RemShown
Value:
1
Executable files
0
Suspicious files
5
Text files
23
Unknown types
1

Dropped files

PID
Process
Filename
Type
3780WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3780.7471\WinRAR-Activator-main\LICENSEtext
MD5:1EBBD3E34237AF26DA5DC08A4E440464
SHA256:3972DC9744F6499F0F9B2DBF76696F2AE7AD8AF9B23DDE66D6AF86C9DFB36986
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\button_buy_blank[1].pngimage
MD5:5653146F28B4A490577AFCDE13EC4F2B
SHA256:2B150D073799B07AA68360FCF1FFA56A2B85F99EECA144BD876511AF8D79F9D9
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\logo-winrar-rarlab[1].gifimage
MD5:5F412DFD080BCFB0AE5D9E96BD0B4B2B
SHA256:C36DDB37D737E658C4CCC010AF640A14FA69DEBAD4FF85CCF0606A96BABDF931
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\basic[1].csstext
MD5:8CD1514A5EE8D6556CD008E4E39B66F6
SHA256:2E348C83951A36210A1C20A4B672993ECD9D2EF0EDEA615F835640ED5D88D503
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\special[1].csstext
MD5:00F20480E3C0CF3CFEB5EEDE0140ED25
SHA256:28E5C3125B3C32D4A7AEBDED45B58A1AD1E5E33BC3C5CC34E5DB2043AB0D79EC
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\price[1].csstext
MD5:80CDD5F754B1BB2E254991F2348A719F
SHA256:35F0605443AAF5A1D54D4AE2FDE9529F2352C393125E6B13EF091A93A8EA7829
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\4TDOFY41.htmhtml
MD5:13CADD593C0A0718E5A1874823C5CF95
SHA256:ABB152D2172487AB1066E8BE77BDE31C1CAFDBAEECBB13F65B9D076B9A37E57B
3836WinRAR.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4412A7AA4EDDD2AA943013DE892975B2der
MD5:45C9B3DC3BFA437B0D8023C7BA56D9CB
SHA256:13AE5FB5A4B4BC70BA3E2BD235831240F3B4F8BA8406AC29A14E96A804342CB3
3836WinRAR.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4412A7AA4EDDD2AA943013DE892975B2binary
MD5:FFCDC0B316729BB32C7C0F86F0299ECB
SHA256:A699855BE27E4455288AAF414CD790A224DFD179C2CD12C6F7D359CE48A38811
3836WinRAR.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\price_cut[1].csstext
MD5:A4652644501EE0A5D0AC88A953B6352F
SHA256:A5D912385F339279BFA84738A7749D0CDD6225EDF9660457D5BE4D9D6DDC31B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3836
WinRAR.exe
GET
200
104.18.20.213:80
http://e6.c.lencr.org/26.crl
unknown
whitelisted
4816
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4816
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1652
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4864
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3836
WinRAR.exe
51.195.68.173:443
notifier.win-rar.com
OVH SAS
FR
malicious
3836
WinRAR.exe
104.18.20.213:80
e6.c.lencr.org
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.158
  • 23.48.23.159
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.162
  • 23.48.23.169
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
notifier.win-rar.com
  • 51.195.68.173
malicious
e6.c.lencr.org
  • 104.18.20.213
  • 104.18.21.213
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
naeembolchhi.github.io
  • 185.199.108.153
  • 185.199.111.153
  • 185.199.109.153
  • 185.199.110.153
unknown
login.live.com
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.130
  • 20.190.160.64
  • 20.190.160.5
  • 40.126.32.133
  • 20.190.160.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinRAR-Activator-main.zip