File name:

Release_x64.zip

Full analysis: https://app.any.run/tasks/6049f1fb-06ec-4b5f-be24-5f1c129ca021
Verdict: Malicious activity
Analysis date: October 23, 2024, 12:57:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

EB07E464101A8E02298B79A71086837B

SHA1:

8DA823868381F2F20B4E095BE065433A4E625AC1

SHA256:

70E982BBFEDCA5F1DF51F7B2F7713CEDAF3124053074737B3D77E460894D2FC7

SSDEEP:

6144:zmef50C0pqkwOweXzJzjcEKNX++NKNVFUSqp:y050C0pqkwbSo+he

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1196)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 7680)
      • powershell.exe (PID: 7976)
      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 7608)
      • cmd.exe (PID: 5892)
      • cmd.exe (PID: 992)
      • cmd.exe (PID: 7756)

  • SUSPICIOUS

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 7436)
      • wscript.exe (PID: 7588)
      • explorer.exe (PID: 8044)
      • cmd.exe (PID: 5300)
      • wscript.exe (PID: 5008)
      • wscript.exe (PID: 8124)
      • cmd.exe (PID: 7656)
      • explorer.exe (PID: 5448)
      • cmd.exe (PID: 4376)
      • wscript.exe (PID: 5724)
      • explorer.exe (PID: 616)
      • cmd.exe (PID: 7636)
      • explorer.exe (PID: 1588)
      • cmd.exe (PID: 5640)
      • wscript.exe (PID: 7480)
      • wscript.exe (PID: 5460)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7680)
      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 7608)
      • cmd.exe (PID: 5892)
      • cmd.exe (PID: 992)
      • cmd.exe (PID: 7756)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7588)
      • cmd.exe (PID: 7436)
      • explorer.exe (PID: 8044)
      • cmd.exe (PID: 5300)
      • wscript.exe (PID: 5008)
      • cmd.exe (PID: 4376)
      • wscript.exe (PID: 8124)
      • wscript.exe (PID: 5724)
      • explorer.exe (PID: 5448)
      • cmd.exe (PID: 7656)
      • explorer.exe (PID: 616)
      • cmd.exe (PID: 7636)
      • wscript.exe (PID: 5460)
      • explorer.exe (PID: 1588)
      • cmd.exe (PID: 5640)
      • wscript.exe (PID: 7480)

    • The process executes VB scripts

      • cmd.exe (PID: 7436)
      • cmd.exe (PID: 5300)
      • cmd.exe (PID: 4376)
      • cmd.exe (PID: 7656)
      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 5640)

    • Application launched itself

      • cmd.exe (PID: 7436)
      • cmd.exe (PID: 5300)
      • cmd.exe (PID: 7656)
      • cmd.exe (PID: 4376)
      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 5640)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7680)
      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 5892)
      • cmd.exe (PID: 7608)
      • cmd.exe (PID: 992)
      • cmd.exe (PID: 7756)

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 8044)

    • The process executes via Task Scheduler

      • explorer.exe (PID: 8044)
      • explorer.exe (PID: 5448)
      • explorer.exe (PID: 2776)
      • explorer.exe (PID: 616)
      • explorer.exe (PID: 1588)
      • explorer.exe (PID: 5280)

  • INFO

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7496)
      • mode.com (PID: 7752)
      • mode.com (PID: 4812)
      • mode.com (PID: 5304)
      • mode.com (PID: 3744)
      • mode.com (PID: 5444)
      • mode.com (PID: 5480)
      • mode.com (PID: 6568)
      • mode.com (PID: 4808)
      • mode.com (PID: 4516)
      • mode.com (PID: 7636)
      • mode.com (PID: 6624)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1196)

    • Manual execution by a user

      • cmd.exe (PID: 7436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:02:12 01:13:58
ZipCRC: 0x3276c77e
ZipCompressedSize: 4773
ZipUncompressedSize: 10938
ZipFileName: ReadMe.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
273
Monitored processes
131
Malicious processes
2
Suspicious processes
19

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs fsutil.exe no specs cmd.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs mode.com no specs fsutil.exe no specs fsutil.exe no specs regsvr32.exe no specs taskkill.exe no specs explorer.exe no specs timeout.exe no specs explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs tiworker.exe no specs searchapp.exe no specs rundll32.exe no specs mobsync.exe no specs powershell.exe no specs conhost.exe no specs regsvr32.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs fsutil.exe no specs cmd.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs mode.com no specs fsutil.exe no specs fsutil.exe no specs regsvr32.exe no specs taskkill.exe no specs explorer.exe no specs timeout.exe no specs explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe no specs rundll32.exe no specs mobsync.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs cmd.exe no specs conhost.exe no specs fsutil.exe no specs cmd.exe no specs mode.com no specs fsutil.exe no specs cmd.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs cmd.exe mode.com no specs conhost.exe no specs fsutil.exe no specs fsutil.exe no specs regsvr32.exe no specs mode.com no specs fsutil.exe no specs fsutil.exe no specs regsvr32.exe no specs taskkill.exe no specs explorer.exe no specs timeout.exe no specs explorer.exe no specs taskkill.exe no specs explorer.exe no specs timeout.exe no specs explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe no specs rundll32.exe no specs mobsync.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs fsutil.exe no specs cmd.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs mode.com no specs fsutil.exe no specs fsutil.exe no specs regsvr32.exe no specs taskkill.exe no specs explorer.exe no specs timeout.exe no specs explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe no specs rundll32.exe no specs mobsync.exe no specs notepad.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs fsutil.exe no specs cmd.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs mode.com no specs fsutil.exe no specs fsutil.exe no specs regsvr32.exe no specs taskkill.exe no specs explorer.exe no specs timeout.exe no specs explorer.exe no specs searchapp.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs mobsync.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204timeout /t 5 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
528explorer.exe C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
2
Version:
10.0.19041.3758 (WinBuild.160101.0800)
616"C:\WINDOWS\explorer.exe" /NoUACCheckC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
784fsutil dirty query C: C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
fsutil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
992"C:\Windows\System32\cmd.exe" /k cd "C:\Users\admin\Desktop\Release\" && "C:\Users\admin\Desktop\Release\register.cmd" C:\Windows\System32\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
1172cmd /u /c echo Set UAC = CreateObject("Shell.Application") : UAC.ShellExecute "cmd.exe", "/k cd ""C:\Users\admin\Desktop\Release\"" && ""C:\Users\admin\Desktop\Release\register.cmd"" ", "", "runas", 1 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1196"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Release_x64.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1432explorer.exe C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
2
Version:
10.0.19041.3758 (WinBuild.160101.0800)
1452fsutil dirty query C: C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
fsutil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1584C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
206
Text files
337
Unknown types
5

Dropped files

PID
Process
Filename
Type
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741618502986674.txt~RF904f5.TMP
MD5:
SHA256:
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:D29BFFEBF06CFD19E360AFE71F590FCC
SHA256:95F8217E25285A8EEC72FB8F78B3F3F85DC1CBCE0732D84FA8F1067233EC21ED
1584TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:E04B5ED5607D219C8ACC6FF982C73871
SHA256:0A194EE3998A1222BB47769D1AF8FEB5E3D08B9E7C2B54C77D70DCBCF35D33B8
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\yy4SnZtT2-rfsZpLbcm-u8xyafQ[1].csstext
MD5:F17DF11A7C86F77E92950D111ABAF4E1
SHA256:72504249ABB304D8B5F75A5E9182B478112E02773B8A9A276CD4982D8CF842FE
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\f4st08wpuYBQ5KWRJ3MqAsJB8zg[1].csstext
MD5:3D24779C6014BCFEFB3D9A80B8F3567B
SHA256:A7EF8FAA37710D7E90C9C8950C203C8DA82410780F872E4F217EE636250D831F
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\P26HLZ9S\-UAIppANYxiGpRWJy2NDph4qOEw.gz[1].jss
MD5:9E527B91C2D8B31B0017B76049B5E4E3
SHA256:38EDF0F961C1CCB287880B88F12F370775FC65B2E28227EEE215E849CDBE9BBC
1196WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1196.4614\Release\ExplorerBlurMica.dllexecutable
MD5:B10D1151419C25E1E7F62FAF643026A2
SHA256:F0FB61E3ABD19EEE67BA486045DA823A62F6B7E99FF4C51375BC280246FA49A5
7436cmd.exeC:\Users\admin\AppData\Local\Temp\getadmin.vbsbinary
MD5:63DDFF86D15502093C38C1D396CBEB3C
SHA256:9F9714C44486FAA0B6C071D3EE4F098605412B91DC37C9B57D7996C2D7DB76AC
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\-lxTjronWiCCazqIxFTp4HrDoXc.gz[1].jsbinary
MD5:8465A334065673EB6A6487C8D87539DB
SHA256:84ED6C495B322B0F2213CC33EC6C652D84D82E010C928B1141DB2290D4365F3D
1788SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\bBHwcntRZloMEpvbWTbdZICG1aQ[1].csstext
MD5:5AC1CE7D977C035B132640DDD3E41842
SHA256:1846FE0726589F51551E8E53BFC8507AD08E9919037951933D382B834145ECEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
69
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
192.168.100.255:138
whitelisted
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.72.205.209
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.164.51
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.154
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.176
  • 2.23.209.156
  • 2.23.209.150
  • 2.23.209.160
  • 92.123.104.36
  • 92.123.104.37
  • 92.123.104.40
  • 92.123.104.42
  • 92.123.104.33
  • 92.123.104.38
  • 92.123.104.41
  • 92.123.104.34
  • 92.123.104.35
  • 92.123.104.21
  • 92.123.104.31
  • 92.123.104.26
  • 92.123.104.30
  • 92.123.104.18
  • 92.123.104.24
  • 92.123.104.32
  • 92.123.104.17
  • 92.123.104.19
  • 2.16.110.123
  • 2.16.110.121
  • 2.20.142.154
  • 92.122.215.53
  • 2.20.142.180
  • 92.122.215.65
  • 2.20.142.187
  • 92.122.215.57
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.20
whitelisted
th.bing.com
  • 2.23.209.160
  • 2.23.209.179
  • 2.23.209.154
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.176
  • 2.23.209.156
  • 2.23.209.150
  • 92.123.104.35
  • 92.123.104.36
  • 92.123.104.37
  • 92.123.104.40
  • 92.123.104.42
  • 92.123.104.33
  • 92.123.104.38
  • 92.123.104.41
  • 92.123.104.34
  • 2.16.110.121
  • 2.16.110.123
  • 92.123.104.10
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.4
  • 92.123.104.12
  • 92.123.104.14
  • 92.123.104.63
  • 92.123.104.65
  • 92.123.104.5
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
r.bing.com
  • 92.123.104.36
  • 92.123.104.37
  • 92.123.104.40
  • 92.123.104.42
  • 92.123.104.33
  • 92.123.104.38
  • 92.123.104.41
  • 92.123.104.34
  • 92.123.104.35
  • 2.16.110.121
  • 2.16.110.123
  • 92.123.104.26
  • 92.123.104.32
  • 92.123.104.31
  • 92.123.104.30
  • 92.123.104.28
  • 92.123.104.24
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Release_x64.zip