File name:	rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72
Full analysis:	https://app.any.run/tasks/0a45a137-09b7-4892-b106-ecaac5ca4883
Verdict:	Malicious activity
Analysis date:	July 07, 2025, 08:15:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec susp-lnk
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	2B3D8369AFE5E82ABB2466C48AD55150
SHA1:	B3CD9A725780BED5CD153503BD8986E022C25FFD
SHA256:	6CB99C763CC92DE59EAD5115E62C575DB562560010D035E5E7B756BC74E39A72
SSDEEP:	98304:PLHgYq6kFcIZE16xPaHfJ/C/Y4N5uAwnaF/lFnrqNlRtjs27ChCKRqdZml+eo8:Zw

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:07:07 07:43:58
ZipCRC:	0x21271191
ZipCompressedSize:	577844
ZipUncompressedSize:	4334869
ZipFileName:	f5d89e872c18e66fad8a20bdd42bc82fe0a28096_f26ccleb


(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4192) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\f5d89e872c18e66fad8a20bdd42bc82fe0a28096_f26ccleb		—
		MD5:—	SHA256:—
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\9e246859398f0bfd39fb1df94bcd385ce831b4fe_vm5o4rwc		—
		MD5:—	SHA256:—
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\cdd4f1bb28ac96caeda9882f9d9045b518cbb317_v9az33ws		—
		MD5:—	SHA256:—
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\8d2e194ffce24fb85bea9ab91e3c886a3c515f7d_lgv6_1p0		text
		MD5:7E2F53137DDE736517DC7D440D878EE7	SHA256:F2840B5CB81F737BC15CB28500F4B98AEECEDE1F1C3EEA0A1D14AFF06F43041A
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\2884ce6d51fc56c44454bc65ff7cc8a0ebfbb690_goxhlhar		html
		MD5:8C322375F13D038C71099017704B1B08	SHA256:3441F242DD4983A267FA3B251F9F88F3F554F2F12D73AB9898F4035FD8D73783
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\Rar$Scan117511.bat		text
		MD5:F6950A6D898D2916DBAF767838FD7E63	SHA256:E95DA42003D4C6C2D597D50A89B896354B1B78101B8A357652A75D227A337791
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\f0c457c38a8f194eb00c7ee1caedd78d7c062c6b_icbeju0_		image
		MD5:2C2951F9C795C19412BF900F8E0EA00E	SHA256:ED50E2FACAD39039D06D6A2F858FB8F93AD4EAEFA3F64D6871260D29F276D515
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\be5125f47279ed738fe973891e30227b8e1658e6_go7xhejd		binary
		MD5:3E3C6403BEED2B7CE52714089269710C	SHA256:E70F2D467FAB518FAEC846785605C12D6361FE5B20AC279CA8B67CCC1CE28367
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\d1cacf19399cde9a7d6dae2c47ad0683aa26faac_g48glqxe		text
		MD5:D55DAB37D36F84E81789EF6970E44590	SHA256:F2B7F7B187F25E934ECA281C67BF4C5BDDB71DD4869BE154569131982B5049DF
4192	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR4192.9078\rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72.zip\6c997dc89779a4e00ff9b34db11622df346a4fae_x_xtnsgw		compressed
		MD5:8F2F141601B0CE493DECB36095DD9A35	SHA256:EEC1042BA006256C8E07BEB2AFAE4E24B578BE0F9D924EAA7EABF396513BE399

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2368	RUXIMICS.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2368	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	HEAD	200	104.16.231.132:443	https://try-dl-tourism-alexander.trycloudflare.com/vin.bat	unknown	—	—	—
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	104.16.230.132:443	https://try-dl-tourism-alexander.trycloudflare.com/vin.bat	unknown	text	2.52 Kb	whitelisted
—	—	GET	200	104.16.230.132:443	https://try-dl-tourism-alexander.trycloudflare.com/vin.bat	unknown	text	2.52 Kb	whitelisted
—	—	HEAD	200	104.16.231.132:443	https://try-dl-tourism-alexander.trycloudflare.com/vin.bat	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2368	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2368	RUXIMICS.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2368	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6024	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	20.42.73.24	whitelisted
try-dl-tourism-alexander.trycloudflare.com	104.16.231.132 104.16.230.132	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200	svchost.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
2200	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
1352	svchost.exe	Misc activity	ET HUNTING TryCloudFlare Domain in TLS SNI
1352	svchost.exe	Misc activity	ET INFO Observed trycloudflare .com Domain in TLS SNI
—	—	A Network Trojan was detected	LOADER [ANY.RUN] Gen.Powershell.Downloader Script Payload
—	—	A Network Trojan was detected	LOADER [ANY.RUN] Gen.Powershell.Downloader Script Payload
—	—	A Network Trojan was detected	LOADER [ANY.RUN] Gen.Powershell.Downloader Script Payload
—	—	A Network Trojan was detected	LOADER [ANY.RUN] Gen.Powershell.Downloader Script Payload

General Info

rl_6cb99c763cc92de59ead5115e62c575db562560010d035e5e7b756bc74e39a72

2B3D8369AFE5E82ABB2466C48AD55150

B3CD9A725780BED5CD153503BD8986E022C25FFD

6CB99C763CC92DE59EAD5115E62C575DB562560010D035E5E7B756BC74E39A72

98304:PLHgYq6kFcIZE16xPaHfJ/C/Y4N5uAwnaF/lFnrqNlRtjs27ChCKRqdZml+eo8:Zw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Downloads files via BITSADMIN.EXE

SUSPICIOUS

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

INFO

Checks proxy server information

Reads the software policy settings

Create files in a temporary directory

Reads the computer name

Checks supported languages

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings