File name:

funny-virus-main.zip

Full analysis: https://app.any.run/tasks/3509416c-ab01-445a-8437-6c6c09c93e8f
Verdict: Malicious activity
Analysis date: June 03, 2025, 10:09:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

7ED0DC5D448D1B64BC9C9D9ABE635195

SHA1:

36E54354A28C685F528183948597F454C0079A1F

SHA256:

8DB8417904F66581604AB0E54D0B8102B3A13D63BF6216DBE22014F1B4A3D7D6

SSDEEP:

1536:qEdHgyTootc+L46O1A9KJp9Av6UG0da0YXdLzku:nHfTooV4h1V9AfTdapXdLzT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 7340)
      • cmd.exe (PID: 7808)
      • net.exe (PID: 8188)
      • net.exe (PID: 7936)

    • Application launched itself

      • cmd.exe (PID: 6368)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2152)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6368)

    • Starts process via Powershell

      • powershell.exe (PID: 8144)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 8144)
      • cmd.exe (PID: 6368)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7808)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7340)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 8144)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 7808)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7808)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 6368)
      • cmd.exe (PID: 7340)
      • cmd.exe (PID: 6852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:04:10 09:26:56
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: funny-virus-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
23
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs netsh.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs net.exe no specs net1.exe no specs reg.exe no specs rundll32.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1452C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2152C:\WINDOWS\system32\cmd.exe /c netsh wlan show profilesC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2568netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5624timeout /t 1 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6368C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\funny-virus-main\1.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6852C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\funny-virus-main\copy_chrome_data.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6988"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\funny-virus-main.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 607
Read events
6 598
Write events
9
Delete events
0

Modification events

(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\funny-virus-main.zip
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7876) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
C:\path\to\your\image.jpg
Executable files
0
Suspicious files
3
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\desktop_change.battext
MD5:0769701F9F9D4D6B286E763B7DDF9320
SHA256:7D62B4988303A734CA8FEC19692D5BFE9DF617F283393F20782DAA1FE3BC000D
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\copy_chrome_data.battext
MD5:48C883B184C770AED8655B1252507F7D
SHA256:73FEAFD4170813028E58CFD53653F89B6CBE48EC73FF4E25CF6FC13B01D05AFD
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\README.mdtext
MD5:E712E9BF09AA504BBF7B4189089BE7DC
SHA256:6262BA072C7C1686B89581BBC12140A49C387EBB20AE6F20EB2E4375FFDF2D39
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\banner\yourdevicehasbeenhacked.txttext
MD5:17DD55831EAF5CB8CA291EA602B41C33
SHA256:DF307DB327C65CA5DE5FD3C59E00254A75E27D28DFD20F609E0FB5FCB77C1A18
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\My-CEH-Note.txttext
MD5:2A7D200FB279263F0BCAB983EF1E68C0
SHA256:225CB9DCDA22611C14BA36C33FBE3D17A8E9C53AC703606DD943D1189914DE8D
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\network_saver\network_saver.vbatext
MD5:30B807E5ED6E32D67D0CC10B1BA29234
SHA256:C6F51A9558CAEF9A0B573B572C06FD9E87ACC0AC033E17D586C3097AFCAAC713
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\network_saver\network_saver.battext
MD5:1D913538AD2BDE68F3C8156A1295E27F
SHA256:1E63482E41A91922A3B99926CE51E55F910B4A1BF82E998D04F40F75E74C1CC8
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\exel1.vbatext
MD5:F8ABCBD21112C47FDE7067AE93965812
SHA256:3D69AFE76DB5E211270E5357F1A2ACD7B7B153F8EF68FDAAA084637C949586DB
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\fuckschool\go.gotext
MD5:324178B398BFD949A78BA8D7B5F722DB
SHA256:832693FEB7C943DD66C4BAA66C579160D03FB4734F9DDA929B12CEBE3D1AFD77
6988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6988.16580\funny-virus-main\network_saver\network_saver.docmdocument
MD5:E122F527D2CF161BDE392F0BD84C78AA
SHA256:39BE02A980B37DBB7925A71859855CE7441F4020B9A19038A48D4C467D02268E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7552
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7552
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7000
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7000
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7864
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7552
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7552
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7552
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.131
  • 40.126.31.131
  • 40.126.31.73
  • 40.126.31.71
  • 40.126.31.0
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
funny-virus-main.zip