File name:

Underground.zip

Full analysis: https://app.any.run/tasks/7d62fcd8-3ced-43cc-80d7-beaa2c4982fa
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 12, 2025, 11:10:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
underground
arch-exec
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

C2A4E9D748253CDD0BA05C632475616E

SHA1:

736BF5A4C8A77BCE3C3EC85FC79D2B50A0EB02CA

SHA256:

652033CCC563D8DABCAAE6473272318BF87E9F1E31BCE9ACACC01900A16F5C40

SSDEEP:

1536:ENULlRWo9kSgj/+HtwMYLVLmL0hDVRlcPAh0IkK9d5gv9l:sULv9SKHgLmL0Nj9hGK9fkP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UNDERGROUND has been found (auto)

      • WinRAR.exe (PID: 4788)

    • Generic archive extractor

      • WinRAR.exe (PID: 4788)

    • Starts NET.EXE for service management

      • Underground.exe (PID: 4236)
      • net.exe (PID: 1204)
      • net.exe (PID: 2272)

    • RANSOMWARE has been detected

      • Underground.exe (PID: 4236)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Underground.exe (PID: 4236)

    • Creates file in the systems drive root

      • Underground.exe (PID: 4236)

    • Uses REG/REGEDIT.EXE to modify registry

      • Underground.exe (PID: 4236)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Underground.exe (PID: 4236)

  • INFO

    • Manual execution by a user

      • Underground.exe (PID: 4236)
      • WINWORD.EXE (PID: 6224)
      • notepad.exe (PID: 6936)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4788)

    • Checks supported languages

      • Underground.exe (PID: 4236)
      • SearchApp.exe (PID: 2648)

    • Reads the computer name

      • Underground.exe (PID: 4236)
      • SearchApp.exe (PID: 2648)

    • Creates files or folders in the user directory

      • Underground.exe (PID: 4236)

    • Process checks computer location settings

      • Underground.exe (PID: 4236)
      • SearchApp.exe (PID: 2648)

    • Creates files in the program directory

      • Underground.exe (PID: 4236)

    • Create files in a temporary directory

      • Underground.exe (PID: 4236)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 2648)

    • Reads the software policy settings

      • SearchApp.exe (PID: 2648)
      • slui.exe (PID: 3844)

    • Reads Environment values

      • SearchApp.exe (PID: 2648)

    • Checks proxy server information

      • slui.exe (PID: 3844)
      • SearchApp.exe (PID: 2648)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:07:12 11:08:30
ZipCRC: 0x41402d95
ZipCompressedSize: 74830
ZipUncompressedSize: 131584
ZipFileName: Underground.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
18
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #UNDERGROUND winrar.exe THREAT underground.exe no specs reg.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs reg.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs searchapp.exe slui.exe winword.exe ai.exe no specs rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
592"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / fC:\Windows\SysWOW64\reg.exeUnderground.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /mC:\Windows\SysWOW64\net.exeUnderground.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2272"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /mC:\Windows\SysWOW64\net.exeUnderground.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2648"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ntmarta.dll
3844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3844C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3880"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / fC:\Windows\SysWOW64\reg.exeUnderground.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4236"C:\Users\admin\Desktop\Underground.exe" C:\Users\admin\Desktop\Underground.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\underground.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
4788"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Underground.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
14 195
Read events
13 843
Write events
327
Delete events
25

Modification events

(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Underground.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
9
Suspicious files
1 587
Text files
222
Unknown types
1

Dropped files

PID
Process
Filename
Type
4236Underground.exeC:\Program Files\Mozilla Firefox\browser\omni.ja
MD5:
SHA256:
4236Underground.exeC:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpibinary
MD5:2E5CCBE79532CC1D498F0F58836DA762
SHA256:D81EFC8B385CC28259C0E375C7F9CD8C1D2B921BA2F73FFD2DC35D240D46746F
4236Underground.exeC:\Program Files\Mozilla Firefox\omni.ja
MD5:
SHA256:
4236Underground.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\browser\!!readme!!!.txttext
MD5:8BB168991DB90E39134990D032DE37CB
SHA256:E8CA0CE5D554CE129F948E009186C350D07A743B0FA956095A83340F43CCB775
4236Underground.exeC:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpibinary
MD5:0AC8B95BD49024F04B7DBA4EB901BA28
SHA256:F8FA5C805CEF219A0292F114BA638B561EAE68CD7E178A7BA183582240AA17C5
4788WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4788.44704\Underground.exeexecutable
MD5:36A00142DB6E258B6604EFD7CC930DD8
SHA256:CC80C74A3592374341324D607D877DCF564D326A1354F3F2A4AF58030E716813
4236Underground.exeC:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.pngbinary
MD5:C6068C31F55FACB951AA433D1BA362C6
SHA256:1E93193B988CEE2220464D8E6BB814FC66B948C97B2118719CA8A0BB1866E146
4236Underground.exeC:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpibinary
MD5:4646DFBFE0EA0AD7C3B65E93B932BDDA
SHA256:711C4A028A29719171861DC08BC72849604C5860E45025CF358BD06385C28194
4236Underground.exeC:\Program Files\Mozilla Firefox\firefox.xpibinary
MD5:A8F369D06480C5C805284E2BFBFC38BC
SHA256:35C487BD59B662C506CFB6AC308F00B42D7B57BB8C976032C0BF46CE0302C7C1
4236Underground.exeC:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpibinary
MD5:EC913F67B14738DBDCC4EF73DAAD25BA
SHA256:6FE568A39A9F48771A0D22CF8C345E389DDAE59C2AED6931C5CB1528DA974B58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2876
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3940
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3940
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
6224
WINWORD.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6224
WINWORD.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2648
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
892
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2876
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.76
  • 20.190.160.2
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.20
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.bing.com
  • 2.16.241.207
  • 2.16.241.205
  • 2.16.241.218
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Underground.zip