Malware analysis f83fb9ce6a83da58b20685c1d7e1e546 (1).zip Malicious activity

Add for printing

File name:	f83fb9ce6a83da58b20685c1d7e1e546 (1).zip
Full analysis:	https://app.any.run/tasks/c4eae6d3-f244-4f60-ac22-a4f909da1eec
Verdict:	Malicious activity
Threats:	Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 18, 2025, 05:50:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec maze ransomware stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	A024E1D53D75EAEFC4AA74131FF16FD8
SHA1:	CFD053A7E793EC84EC78679F224B417C760E0A5E
SHA256:	77B2731FF3C7A14B8B962EA387C41293415B3478E73973888851991105777560
SSDEEP:	12288:6Zr2Dvm+2LDF+jgcz5jCDiIuexi3FBUzvASSB7d:6ZCDvmRLDwjPrIuekUz4SS5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 6412)
- Maze ransom note is found
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- MAZE mutex has been found
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 3564)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 4624)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 204)
- Maze is detected
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- RANSOMWARE has been detected
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Actions looks like stealing of personal data
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Modifies files in the Chrome extension folder
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6412)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Creates file in the systems drive root
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Connects to the server without a host name
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
INFO
- Reads the machine GUID from the registry
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Checks supported languages
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 204)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 3564)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 4624)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6412)
- Creates files in the program directory
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Reads the computer name
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 204)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 3564)
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 4624)
- Creates files or folders in the user directory
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)
- Checks proxy server information
  - e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 7092)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2020:12:06 13:31:08
ZipCRC:	0x3e6fd65f
ZipCompressedSize:	427125
ZipUncompressedSize:	484352
ZipFileName:	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

204

"C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.23307\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.23307\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb6412.23307\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3564

"C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.33557\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.33557\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb6412.33557\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

4624

"C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.35752\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.35752\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb6412.35752\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6412

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f83fb9ce6a83da58b20685c1d7e1e546 (1).zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7092

"C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.17394\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.17394\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb6412.17394\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

3 075

Read events

3 058

Write events

Delete events

Modification events


(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\f83fb9ce6a83da58b20685c1d7e1e546 (1).zip
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(7092) e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

Suspicious files

3 179

Text files

689

Unknown types

Dropped files

PID	Process	Filename		Type
6412	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6412.17394\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe		executable
		MD5:F83FB9CE6A83DA58B20685C1D7E1E546	SHA256:E8A091A84DD2EA7EE429135FF48E9F48F7787637CCB79F6C3EB42F34588BC684
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\bootTel.dat		binary
		MD5:5D6FF9D2FAD648BA93DFAE0EE790115E	SHA256:019CFD4E2CAB178B5F6B8AC42B8370547D2F34EEE2B1581FC95040D02ACCD2E7
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\DECRYPT-FILES.html		html
		MD5:D1DEB9D6181BCDF53F8C9FF6AA6EE456	SHA256:2124C56233C354C85254E774C743B7B225DA29C11D2FEE997C2BE396510EC6DB
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\Users\admin\AppData\Local\VirtualStore\DECRYPT-FILES.html		html
		MD5:D1DEB9D6181BCDF53F8C9FF6AA6EE456	SHA256:2124C56233C354C85254E774C743B7B225DA29C11D2FEE997C2BE396510EC6DB
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\BOOTNXT		binary
		MD5:218FB88782DDB5A05C6A1387F5B6E1D0	SHA256:5E1A81FC5E0C9C00F26C3C245891A8D24CEADD7A1722614C3C59EB4D35F3804F
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\ProgramData\foo.db		binary
		MD5:76F8F28BD51EFA03AB992FDB050C8382	SHA256:5470F0644589685000154CB7D3F60280ACB16E39CA961CCE2C016078B303BC1B
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst		binary
		MD5:40CC1CA391F0DE2DC29FF2845967B517	SHA256:3C1A0C142685EBFAA54F134AD37BA7C609F7258C03C42E8E3881AE8557D8EA4C
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\Users\admin\AppData\Local\DECRYPT-FILES.html		html
		MD5:D1DEB9D6181BCDF53F8C9FF6AA6EE456	SHA256:2124C56233C354C85254E774C743B7B225DA29C11D2FEE997C2BE396510EC6DB
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\Users\admin\AppData\DECRYPT-FILES.html		html
		MD5:D1DEB9D6181BCDF53F8C9FF6AA6EE456	SHA256:2124C56233C354C85254E774C743B7B225DA29C11D2FEE997C2BE396510EC6DB
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	C:\BOOTNXT.QWVBb4		binary
		MD5:218FB88782DDB5A05C6A1387F5B6E1D0	SHA256:5E1A81FC5E0C9C00F26C3C245891A8D24CEADD7A1722614C3C59EB4D35F3804F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6216	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	POST	—	92.63.194.20:80	http://92.63.194.20/tracker/archive/qgcvr.aspx?dl=1ao2n&emyv=ouxo	unknown	—	—	malicious
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	POST	500	92.63.194.20:80	http://92.63.194.20/tracker/archive/qgcvr.aspx?dl=1ao2n&emyv=ouxo	unknown	—	—	malicious
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	POST	301	92.63.194.3:80	http://92.63.194.3/webaccess/analytics/yyeqd.phtml	unknown	—	—	malicious
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6216	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6708	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
372	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1480	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3976	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1176	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
1076	svchost.exe	184.30.18.9:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
6708	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	20.190.159.75 20.190.159.128 20.190.159.130 20.190.159.129 40.126.31.73 40.126.31.129 20.190.159.73 40.126.31.128	whitelisted
go.microsoft.com	184.30.18.9	whitelisted
arc.msn.com	20.223.35.26	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
www.microsoft.com	104.119.109.218	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted

Threats

PID	Process	Class	Message
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	A Network Trojan was detected	ET MALWARE Maze/ID Ransomware Activity
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	A Network Trojan was detected	ET MALWARE Maze/ID Ransomware Activity
7092	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	A Network Trojan was detected	ET MALWARE Maze/ID Ransomware Activity

Add for printing

No debug info

General Info

f83fb9ce6a83da58b20685c1d7e1e546 (1).zip

A024E1D53D75EAEFC4AA74131FF16FD8

CFD053A7E793EC84EC78679F224B417C760E0A5E

77B2731FF3C7A14B8B962EA387C41293415B3478E73973888851991105777560

12288:6Zr2Dvm+2LDF+jgcz5jCDiIuexi3FBUzvASSB7d:6ZCDvmRLDwjPrIuekUz4SS5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Maze ransom note is found

MAZE mutex has been found

Maze is detected

RANSOMWARE has been detected

Actions looks like stealing of personal data

Modifies files in the Chrome extension folder

SUSPICIOUS

Reads security settings of Internet Explorer

Creates file in the systems drive root

Connects to the server without a host name

INFO

Reads the machine GUID from the registry

Checks supported languages

Executable content was dropped or overwritten

Creates files in the program directory

Reads the computer name

Creates files or folders in the user directory

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings