Malware analysis D0WN10AD_S𐌄ᴛUP_PAS5_(2332)_F1LE.zip Malicious activity

Add for printing

File name:	D0WN10AD_S𐌄ᴛUP_PAS5_(2332)_F1LE.zip
Full analysis:	https://app.any.run/tasks/92c90680-a724-48ba-8dbd-cf4fe9d3c092
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 25, 2025, 02:46:18
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-doc stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	469B0DCD90958C95B08F960C9FE038FB
SHA1:	1739F5D9C233DEE4CCAAF16F258676180DB5F207
SHA256:	735BC3DCE4A53EFBA43AD1D93C7B2CA6654E10A0B715F779474D515254BB7D9D
SSDEEP:	98304:9dPkBRtWm+3VrPlkGk3gD6mX8jyzgODM+vEqLOgRvUU0Rs1nYdX7MkpXZgn5WZrp:6lFjcM3/i7GyLvFIH/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - asm.exe (PID: 7216)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 7604)
  - WinRAR.exe (PID: 7380)
  - WinRAR.exe (PID: 7280)
- Application launched itself
  - WinRAR.exe (PID: 7380)
  - WinRAR.exe (PID: 7604)
- Starts a Microsoft application from unusual location
  - Setup.exe (PID: 6492)
  - Setup.exe (PID: 7256)
  - Setup.exe (PID: 456)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 7280)
  - Setup.exe (PID: 6492)
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 7280)
  - Setup.exe (PID: 6492)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 6492)
- Loads DLL from Mozilla Firefox
  - asm.exe (PID: 7216)
- Starts CMD.EXE for commands execution
  - WinRAR.exe (PID: 7280)
- Executing commands from a ".bat" file
  - WinRAR.exe (PID: 7280)
- Searches for installed software
  - asm.exe (PID: 7216)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7280)
- The sample compiled with english language support
  - WinRAR.exe (PID: 7280)
  - Setup.exe (PID: 6492)
- The sample compiled with chinese language support
  - WinRAR.exe (PID: 7280)
- Reads the computer name
  - Setup.exe (PID: 6492)
  - Setup.exe (PID: 7256)
  - asm.exe (PID: 7216)
  - asm.exe (PID: 2192)
  - MpCmdRun.exe (PID: 6884)
- Checks supported languages
  - Setup.exe (PID: 6492)
  - asm.exe (PID: 7216)
  - asm.exe (PID: 2192)
  - MpCmdRun.exe (PID: 6884)
  - Setup.exe (PID: 7256)
- Creates files in the program directory
  - Setup.exe (PID: 6492)
- Create files in a temporary directory
  - Setup.exe (PID: 6492)
  - Setup.exe (PID: 7256)
  - MpCmdRun.exe (PID: 6884)
- Reads the machine GUID from the registry
  - asm.exe (PID: 7216)
- Manual execution by a user
  - Setup.exe (PID: 456)
- Reads CPU info
  - asm.exe (PID: 7216)
- Process checks whether UAC notifications are on
  - asm.exe (PID: 7216)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	0x0800
ZipCompression:	None
ZipModifyDate:	2025:10:24 23:48:04
ZipCRC:	0x2726696d
ZipCompressedSize:	7437470
ZipUncompressedSize:	7437470
ZipFileName:	0𝙋e𝙉_𝙎𝙀𝙏𝙐𝙋_𝙁!1e.zip

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

153

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

456

"C:\Users\admin\Desktop\Setup.exe"

C:\Users\admin\Desktop\Setup.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Test Authoring and Execution Framework [v10.88]

Exit code:

3222601730

Version:

10.88.2411.08001

Modules

Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll

600

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2192

C:\Users\admin\AppData\Local\Temp\487514\asm.exe

—

Setup.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\e404e13.tmp
c:\users\admin\appdata\local\temp\487514\asm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

3144

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

—

asm.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

27768

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6492

"C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Setup.exe

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Test Authoring and Execution Framework [v10.88]

Exit code:

Version:

10.88.2411.08001

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa7280.3551\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\temp\rar$exa7280.3551\te.winrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\users\admin\appdata\local\temp\rar$exa7280.3551\te.common.dll

6884

"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7280.7278"

C:\Program Files\Windows Defender\MpCmdRun.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Malware Protection Command Line Utility

Exit code:

Version:

4.18.1909.6 (WinBuild.160101.0800)

Modules

Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

7216

C:\Users\admin\AppData\Local\Temp\487514\asm.exe

Setup.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\e07d03.tmp
c:\users\admin\appdata\local\temp\487514\asm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

7256

"C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.5015\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.5015\Setup.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Test Authoring and Execution Framework [v10.88]

Exit code:

Version:

10.88.2411.08001

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa7280.5015\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\temp\rar$exa7280.5015\te.winrt.dll
c:\windows\system32\ole32.dll
c:\users\admin\appdata\local\temp\rar$exa7280.5015\te.common.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll

7280

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb7604.2651\SETUP.zip

C:\Program Files\WinRAR\WinRAR.exe

WinRAR.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7380

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\D0WN10AD_S𐌄ᴛUP_PAS5_(2332)_F1LE.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

10 651

Read events

10 607

Write events

Delete events

Modification events


(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\D0WN10AD_S𐌄ᴛUP_PAS5_(2332)_F1LE.zip
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

Add for printing

Executable files

101

Suspicious files

Text files

191

Unknown types

Dropped files

PID	Process	Filename		Type
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Atfrog.fc		binary
		MD5:F028FCFF9963B2679DDA4BF0519B6A2C	SHA256:81B3FAFFCEBACF7916413ED42B33EEBCB643D825CD5EC3F14E5E7358D2845BE5
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Library\InstallHelper.dll		executable
		MD5:244C5B91A218182C932943B6DA87AA84	SHA256:513C0C2C6A350E416CF848DDEBF00CFF8DFA19C292CC2B8D762378E476FD3E92
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Conduit.Broker.dll		executable
		MD5:30213C8FFAE77C8BFE947660949048B6	SHA256:B019DC9FD9132FF113A7E572819DF386446744E7F800C8AAA4049FC4EC2B5AAF
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Library\libEGL.dll		executable
		MD5:FB717F1C477F1B148B881B57046EE042	SHA256:56A0A75A17170FC276D76EAF0B4C7994C3E61A4C459F865A39DAE3931977805A
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Library\adobe_caps.dll		executable
		MD5:7419CE0423F1226F8DBBA61568917101	SHA256:24C9070FB0D6C610332A3BE3D1EA358B2C8FFF9972AF41C58C63DF17901C8ED5
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Library\libprotocd.dll		executable
		MD5:CC0DF7A718AEE200AC1FED17B902055D	SHA256:DDB43990546AE8B4DABEB502C9BA0EC105327E5176318CD4A9FE274C8EB3B64F
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Library\qtiff.dll		executable
		MD5:2D3770E00B5F29B4EFCFB2536C246A06	SHA256:3511CB474DDB5D76EA4BFBE6E219245758181D8994890177E55F6EA63874CA93
7380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa7380.2372\0𝙋e𝙉_𝙎𝙀𝙏𝙐𝙋_𝙁!1e.zip		compressed
		MD5:1E9A62711D8485222A1F8993648051D2	SHA256:14EB51C9F7B94DDCB81CC9CC530B37B23D1FAF46EAA69C56FB30B7E36E6E44C4
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Resource\bug41351_2.phpt		text
		MD5:49C3EE8CEE6E0528CCFFD01064431B1C	SHA256:6F4E842BDEDBB136347B85122BC983EEBF63493DD009E6837654D71C5A98E0F3
7280	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7280.3551\Library\swscale-5.dll		binary
		MD5:66344D55ECA05EDC759E0FA3E8DBBE2A	SHA256:DAE8B734E16E9E75D292D5978F0AD3FC760100D654EAC6D84BDA39C73B7D6BEC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7088	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	DE	binary	314 b	whitelisted
7928	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	DE	binary	471 b	whitelisted
5868	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
7864	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	DE	binary	471 b	whitelisted
6740	SIHClient.exe	GET	200	72.246.169.155:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	DE	binary	813 b	whitelisted
6740	SIHClient.exe	GET	200	72.246.169.155:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	DE	binary	402 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5488	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5384	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5596	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5488	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7088	SearchApp.exe	184.86.251.22:443	www.bing.com	Akamai International B.V.	DE	whitelisted
7088	SearchApp.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
5868	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7088	SearchApp.exe	184.86.251.27:443	www.bing.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.184.238	whitelisted
www.bing.com	184.86.251.22 184.86.251.27	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
login.live.com	20.190.160.2 20.190.160.5 20.190.160.128 20.190.160.66 20.190.160.130 20.190.160.14 40.126.32.133 20.190.160.17	whitelisted
th.bing.com	184.86.251.27 184.86.251.22	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
slscr.update.microsoft.com	135.233.95.144	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

D0WN10AD_S𐌄ᴛUP_PAS5_(2332)_F1LE.zip

469B0DCD90958C95B08F960C9FE038FB

1739F5D9C233DEE4CCAAF16F258676180DB5F207

735BC3DCE4A53EFBA43AD1D93C7B2CA6654E10A0B715F779474D515254BB7D9D

98304:9dPkBRtWm+3VrPlkGk3gD6mX8jyzgODM+vEqLOgRvUU0Rs1nYdX7MkpXZgn5WZrp:6lFjcM3/i7GyLvFIH/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Loads DLL from Mozilla Firefox

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Searches for installed software

INFO

Executable content was dropped or overwritten

The sample compiled with english language support

The sample compiled with chinese language support

Reads the computer name

Checks supported languages

Creates files in the program directory

Create files in a temporary directory

Reads the machine GUID from the registry

Manual execution by a user

Reads CPU info

Process checks whether UAC notifications are on

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings