File name:

Orbit.zip

Full analysis: https://app.any.run/tasks/61805f8f-5ffa-4362-bd51-c8261ffca03b
Verdict: Malicious activity
Analysis date: July 04, 2024, 17:52:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

18CDECDB7689F56B90E162BC986FED91

SHA1:

EA9DDFC153BBBE80A9DCA5BB79FC6735E87F3523

SHA256:

8B13D40FFB470F984837155E90B8DC17457A4C1153967FA9B0E9ED119DBFCFC0

SSDEEP:

98304:hJ+qlvJLMMAkbRm3OtCCiaWWndqivr5r56WehxL1ritfLlkdqjM4rU+eXz5hUiHO:OSqWv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 5332)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5332)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 5332)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5332)

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 5332)

    • Checks supported languages

      • Orbit Unknowncheats.exe (PID: 3020)
      • Orbit Unknowncheats.exe (PID: 6696)

    • Creates files or folders in the user directory

      • Orbit Unknowncheats.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:06:14 09:00:38
ZipCRC: 0x8fac9e58
ZipCompressedSize: 999374
ZipUncompressedSize: 1976320
ZipFileName: Orbit Unknowncheats.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe orbit unknowncheats.exe no specs orbit unknowncheats.exe conhost.exe no specs orbit unknowncheats.exe no specs orbit unknowncheats.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1520"C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit Unknowncheats.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit Unknowncheats.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5332.37168\orbit unknowncheats.exe
c:\windows\system32\ntdll.dll
1660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOrbit Unknowncheats.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3020"C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit Unknowncheats.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit Unknowncheats.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225786
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5332.37168\orbit unknowncheats.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_91a79472cc852ba0\gdiplus.dll
c:\windows\system32\gdi32full.dll
5332"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Orbit.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6648"C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.39181\Orbit Unknowncheats.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.39181\Orbit Unknowncheats.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5332.39181\orbit unknowncheats.exe
c:\windows\system32\ntdll.dll
6696"C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.39181\Orbit Unknowncheats.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5332.39181\Orbit Unknowncheats.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5332.39181\orbit unknowncheats.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_91a79472cc852ba0\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32full.dll
6704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOrbit Unknowncheats.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 660
Read events
5 642
Write events
18
Delete events
0

Modification events

(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Orbit.zip
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
10
Suspicious files
6
Text files
27
Unknown types
2

Dropped files

PID
Process
Filename
Type
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit Unknowncheats.exeexecutable
MD5:83B7B051A986977E209078EF4E569DF3
SHA256:500695942BC3C61FA8478E9C48A6155F7FF87C9CB544AC61BAEB4CA913EC6774
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\cs_office.txtcsv
MD5:F1EA212D0B3A237C089C73D542AA9A5C
SHA256:9C6F94A209C7255B16D6B1FB8F3BA58D20E6A6B947419EA7A4B7DE8E7E2ED33D
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\de_mirage.txtcsv
MD5:3BA7602D18CF851C872DA2D1CF751FA4
SHA256:4A3E92E437E6F842AAB3A93BC3E1A399EB30BCBBF74AFE68E3A1CDB022A2CD9B
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\DriverMapper.exeexecutable
MD5:8BF69EDDA1E10F0E935038D8299B3EAE
SHA256:E7A503F0A7BC1ACF71034ABC36329B1733F0B67AA6E07BD06688BFD9E333E871
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\de_ancient.txtcsv
MD5:27871442EC9923351B2FAE785B28F59A
SHA256:B465DC4B30782286EA72E366DCA81B0652437A042C729358EAD460D308A8AEBB
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\GrenadeHelper.txtcsv
MD5:C6B9CF1EDE0610B145A3010224710D9C
SHA256:45A60CEE6B2021961C1B19B10D04CDA7E1F055B4CB70CD2C2A3B03B273F5F80A
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\ar_baggage.txtcsv
MD5:3BF4DCF5608BFD9B36E1FEA67253A2B7
SHA256:9F0BE0E0F207AEC47E2F84489212F102EB7F3058C3412F4F0549BD22D4FF8CAC
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\de_anubis.txtcsv
MD5:B74A4EFA53C5647F8AF635BC6197AAAE
SHA256:209307FC26A01A22EC3DE042F5D6831012E03A39CE6B5901417F05FBF53B3D97
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\de_inferno.txtcsv
MD5:5869A1373C2B88A07C2F3E3351E34A35
SHA256:A438D6EE0D7B8A25B16564AB3C8B48FDB3184C9CCDA86B809A30582192A97345
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5332.37168\Orbit\Orbit Mapdata\de_nuke.txtcsv
MD5:A808A1D8D980F9DC3676A777F146157E
SHA256:AD0C2CAAC469BA8321CBF1940BF039F76E9C1CD9240F6EF928F2B172AD331369
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
56
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
6476
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
2456
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3800
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
6476
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
5932
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
2248
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
2248
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
188
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4180
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2248
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2248
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4180
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4656
SearchApp.exe
92.123.104.51:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 92.123.104.51
  • 92.123.104.40
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.47
  • 92.123.104.46
  • 92.123.104.43
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Orbit.zip