File name:	buff_for_post_2.zip
Full analysis:	https://app.any.run/tasks/5256f3aa-efb6-4675-a856-810d6db71531
Verdict:	Suspicious activity
Analysis date:	July 23, 2025, 01:47:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	F21C0D98BCAE943569571ED6F8AC1F48
SHA1:	CC85DCDB28C983E7B11CDE1781267618D52E2B6B
SHA256:	8F851AF71079FFA30ACC64470F32A8B6F02712052E7CB88F4A6AD07CDDEEC7C8
SSDEEP:	49152:WzWdtPEIzPjPsJlvsHu1t/y5x0eV53L+1fbXtigwJQA0+GRwfCP6NG0AUpN6aKg3:WQtsIzdu1t/y5Z3b+lbZmQAxmwfG4G0x

ZipRequiredVersion:	20
ZipBitFlag:	0x0008
ZipCompression:	Deflated
ZipModifyDate:	2025:07:21 17:31:50
ZipCRC:	0x4f94b716
ZipCompressedSize:	2390
ZipUncompressedSize:	9113
ZipFileName:	buff_for_post_2.py


(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\Microsoft.WindowsTerminalCanary_latest_x64.zip
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\innounp050.rar
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\lessmsi.zip
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\buff_for_post_2.zip
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(4352) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

PID	Process	Filename		Type
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\buff_for_post_2\libstdc++-6.dll		executable
		MD5:A62E154AA5B69446CD31BAE1A0B4043E	SHA256:9EDEFCE2889BE24C986C376F3FFCFEF652A70C12885558668872FE8272E07069
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\buff_for_post_2\libwinpthread-1.dll		executable
		MD5:2EED5944753372B3ED98279B1FCDDA69	SHA256:20CEB15217CD5FFA4C20CFAC18475186A31DCC618EBDEA25AE58BF24F919345C
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4352.8283\libwinpthread-1.dll		executable
		MD5:2EED5944753372B3ED98279B1FCDDA69	SHA256:20CEB15217CD5FFA4C20CFAC18475186A31DCC618EBDEA25AE58BF24F919345C
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4352.8283\buff_for_post_2.py		text
		MD5:52134A18719439634459990FF4BFFB71	SHA256:A7BAA54485D04C2EAB2C7733FBE2866FBCF7760C486CB5102CAC729BC87442BE
2000	python.exe	C:\Users\admin\AppData\Local\Programs\Python\Python314\Lib\__pycache__\rlcompleter.cpython-314.pyc		binary
		MD5:8E2DA7EE6A418CCD2AA8C42D852ABFDE	SHA256:03B499BC85A09A04BF6BAB9D8FBF38989338035BC00C91083151E7B2A4AEC7B0
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4352.8283\libgcc_s_seh-1.dll		executable
		MD5:06B05F2D35E1D0851387D6DA6B282E96	SHA256:34D768D97CA0CF5F6701DA069313038B315C6CDFFA5F987975C92163453551E9
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4352.8283\libstdc++-6.dll		executable
		MD5:A62E154AA5B69446CD31BAE1A0B4043E	SHA256:9EDEFCE2889BE24C986C376F3FFCFEF652A70C12885558668872FE8272E07069
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\buff_for_post_2\buff_for_post_2.py		text
		MD5:52134A18719439634459990FF4BFFB71	SHA256:A7BAA54485D04C2EAB2C7733FBE2866FBCF7760C486CB5102CAC729BC87442BE
4352	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4352.8283\overflow3.exe		executable
		MD5:01ADB253FCCC5EA236AF07086C9D2BA9	SHA256:C50E4B2628F561605DF0A2B82E2A81EFA720F89C69C15BC0E0A9F6CCEA3FB6C3
2000	python.exe	C:\Users\admin\AppData\Local\Programs\Python\Python314\Lib\_pyrepl\__pycache__\readline.cpython-314.pyc.1415611583632		binary
		MD5:BCCBE09CFD1D8E1838D24FC289B8D8F4	SHA256:8CCED5B63EACAD04EC615C4B7CECAB1AD81DE1654712ED39B22D8DC684304DD2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7072	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6284	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6284	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3556	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3556	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5332	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5332	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
1360	WerFault.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2936	svchost.exe	GET	200	72.246.169.163:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
1360	WerFault.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6284	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4664	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
564	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5332	SearchApp.exe	92.123.104.32:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7072	svchost.exe	40.126.31.0:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7072	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
6284	svchost.exe	20.44.239.154:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
2788	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.44.239.154	whitelisted
www.bing.com	92.123.104.32 92.123.104.34 2.16.241.218 2.16.241.201	whitelisted
google.com	172.217.18.14	whitelisted
login.live.com	40.126.31.0 40.126.31.128 20.190.159.23 20.190.159.131 40.126.31.69 20.190.159.73 40.126.31.131 40.126.31.3 20.190.160.5 20.190.160.132 20.190.160.67 40.126.32.68 20.190.160.128 40.126.32.138 20.190.160.65 40.126.32.133	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.14 23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Process	Message
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

buff_for_post_2.zip

F21C0D98BCAE943569571ED6F8AC1F48

CC85DCDB28C983E7B11CDE1781267618D52E2B6B

8F851AF71079FFA30ACC64470F32A8B6F02712052E7CB88F4A6AD07CDDEEC7C8

49152:WzWdtPEIzPjPsJlvsHu1t/y5x0eV53L+1fbXtigwJQA0+GRwfCP6NG0AUpN6aKg3:WQtsIzdu1t/y5Z3b+lbZmQAxmwfG4G0x

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Loads Python modules

Executes application which crashes

INFO

Manual execution by a user

The sample compiled with english language support

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Python executable

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings