Malware analysis 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.zip Malicious activity

Add for printing

File name:	48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.zip
Full analysis:	https://app.any.run/tasks/04e2f615-9bcf-4ed8-99cc-8e99378c8a6a
Verdict:	Malicious activity
Analysis date:	July 19, 2024, 18:05:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netreactor
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	90979AFF2B6FA2E3093EC593FB515DB7
SHA1:	DB0ECED45590225814E02DDA68BD8EDA3C2DB1D0
SHA256:	8FE3BFF7178B430314F38BAE4D49C21A0C57A09D76141B6FB82C72272D2DC372
SSDEEP:	98304:P9JYrWN+tCEJ0kQuwS1czc4ZOSAoXa8khHo80/VkLaTR5evK0M9EkqeEUO7aeXM6:P7FVt+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 6800)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe (PID: 8112)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - lrjuem2a.exe (PID: 2648)
  - UnifiedStub-installer.exe (PID: 6840)
  - 7za.exe (PID: 4796)
  - 7za.exe (PID: 4512)
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 6840)
  - rsEngineSvc.exe (PID: 3128)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 7936)
- Creates a writable file in the system directory
  - UnifiedStub-installer.exe (PID: 6840)
  - rsEDRSvc.exe (PID: 2276)
SUSPICIOUS
- Application launched itself
  - Taskmgr.exe (PID: 6932)
- Executable content was dropped or overwritten
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe (PID: 8112)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - lrjuem2a.exe (PID: 2648)
  - UnifiedStub-installer.exe (PID: 6840)
  - 7za.exe (PID: 4796)
  - 7za.exe (PID: 4512)
- Reads the Windows owner or organization settings
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
- Reads the date of Windows installation
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - rsEDRSvc.exe (PID: 2276)
- Reads security settings of Internet Explorer
  - prod0.exe (PID: 6940)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 3404)
- Process drops legitimate windows executable
  - lrjuem2a.exe (PID: 2648)
  - 7za.exe (PID: 4796)
  - 7za.exe (PID: 4512)
  - UnifiedStub-installer.exe (PID: 6840)
- Executes application which crashes
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
- Searches for installed software
  - UnifiedStub-installer.exe (PID: 6840)
- Creates a software uninstall entry
  - UnifiedStub-installer.exe (PID: 6840)
- Drops 7-zip archiver for unpacking
  - lrjuem2a.exe (PID: 2648)
  - 7za.exe (PID: 4512)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 7064)
  - rsClientSvc.exe (PID: 6640)
  - rsWSC.exe (PID: 2104)
  - rsEngineSvc.exe (PID: 3128)
  - rsEDRSvc.exe (PID: 2276)
- The process creates files with name similar to system file names
  - 7za.exe (PID: 4512)
- The process drops C-runtime libraries
  - 7za.exe (PID: 4512)
  - UnifiedStub-installer.exe (PID: 6840)
- Drops a system driver (possible attempt to evade defenses)
  - 7za.exe (PID: 4512)
  - UnifiedStub-installer.exe (PID: 6840)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - UnifiedStub-installer.exe (PID: 6840)
- Creates or modifies Windows services
  - UnifiedStub-installer.exe (PID: 6840)
  - rundll32.exe (PID: 7936)
- Creates files in the driver directory
  - UnifiedStub-installer.exe (PID: 6840)
- Uses RUNDLL32.EXE to load library
  - UnifiedStub-installer.exe (PID: 6840)
- Checks Windows Trust Settings
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 3404)
  - rsEDRSvc.exe (PID: 2276)
  - rsWSC.exe (PID: 2104)
- Adds/modifies Windows certificates
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 2276)
- Reads the BIOS version
  - rsEDRSvc.exe (PID: 2276)
- Process checks is Powershell's Script Block Logging on
  - rsEDRSvc.exe (PID: 2276)
INFO
- Manual execution by a user
  - Taskmgr.exe (PID: 8084)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe (PID: 8112)
  - Taskmgr.exe (PID: 6932)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6800)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 6932)
  - Taskmgr.exe (PID: 7344)
  - runonce.exe (PID: 5300)
- Create files in a temporary directory
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe (PID: 8112)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - lrjuem2a.exe (PID: 2648)
  - UnifiedStub-installer.exe (PID: 6840)
- Checks supported languages
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe (PID: 8112)
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - lrjuem2a.exe (PID: 2648)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsSyncSvc.exe (PID: 7908)
  - rsSyncSvc.exe (PID: 7064)
  - 7za.exe (PID: 4512)
  - 7za.exe (PID: 4796)
  - rsWSC.exe (PID: 3888)
  - rsClientSvc.exe (PID: 6624)
  - rsWSC.exe (PID: 2104)
  - rsClientSvc.exe (PID: 6640)
  - rsEngineSvc.exe (PID: 3128)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 2276)
  - rsEDRSvc.exe (PID: 3404)
  - rsHelper.exe (PID: 6668)
- Reads the computer name
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsSyncSvc.exe (PID: 7908)
  - rsSyncSvc.exe (PID: 7064)
  - 7za.exe (PID: 4796)
  - 7za.exe (PID: 4512)
  - rsWSC.exe (PID: 3888)
  - rsWSC.exe (PID: 2104)
  - rsClientSvc.exe (PID: 6624)
  - rsClientSvc.exe (PID: 6640)
  - rsEngineSvc.exe (PID: 3128)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 2276)
  - rsEDRSvc.exe (PID: 3404)
  - rsHelper.exe (PID: 6668)
- Reads the machine GUID from the registry
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsWSC.exe (PID: 3888)
  - rsWSC.exe (PID: 2104)
  - rsEngineSvc.exe (PID: 3128)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 3404)
  - rsEDRSvc.exe (PID: 2276)
  - rsHelper.exe (PID: 6668)
- Reads the software policy settings
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 3404)
  - rsEngineSvc.exe (PID: 3128)
  - rsEDRSvc.exe (PID: 2276)
  - rsWSC.exe (PID: 2104)
- Checks proxy server information
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
- Process checks computer location settings
  - 48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp (PID: 7684)
  - prod0.exe (PID: 6940)
- Disables trace logs
  - prod0.exe (PID: 6940)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsEngineSvc.exe (PID: 3128)
  - rsEDRSvc.exe (PID: 2276)
- Reads Environment values
  - prod0.exe (PID: 6940)
  - UnifiedStub-installer.exe (PID: 6840)
  - rsEngineSvc.exe (PID: 3128)
  - rsEDRSvc.exe (PID: 2276)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 2276)
  - WerFault.exe (PID: 2476)
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
- Creates files in the program directory
  - UnifiedStub-installer.exe (PID: 6840)
  - 7za.exe (PID: 4796)
  - 7za.exe (PID: 4512)
  - rsWSC.exe (PID: 3888)
  - rsEngineSvc.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 3404)
  - rsEngineSvc.exe (PID: 3128)
  - rsEDRSvc.exe (PID: 2276)
- .NET Reactor protector has been detected
  - UnifiedStub-installer.exe (PID: 6840)
- Reads the time zone
  - runonce.exe (PID: 5300)
  - rsEDRSvc.exe (PID: 2276)
- Reads CPU info
  - rsEDRSvc.exe (PID: 2276)
- Reads product name
  - rsEDRSvc.exe (PID: 2276)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:07:19 18:05:12
ZipCRC:	0x000b524a
ZipCompressedSize:	2020628
ZipUncompressedSize:	2576200
ZipFileName:	48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

190

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2104

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

—

services.exe

User:

SYSTEM

Company:

Reason Software Company Inc.

Integrity Level:

SYSTEM

Description:

rsWSC

Version:

6.0.3.0

2276

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7684 -s 1108

C:\Windows\SysWOW64\WerFault.exe

—

48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

2276

"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe

services.exe

User:

SYSTEM

Company:

Reason Cybersecurity Ltd.

Integrity Level:

SYSTEM

Description:

Reason EDR Service

Version:

2.1.0

2476

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7684 -s 1108

C:\Windows\SysWOW64\WerFault.exe

—

48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

2648

"C:\Users\admin\AppData\Local\Temp\lrjuem2a.exe" /silent

C:\Users\admin\AppData\Local\Temp\lrjuem2a.exe

prod0.exe

User:

admin

Company:

ReasonLabs

Integrity Level:

HIGH

Description:

ReasonLabs-setup-wizard.exe

Version:

6.0.2

Modules

Images
c:\users\admin\appdata\local\temp\lrjuem2a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

3128

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

services.exe

User:

SYSTEM

Company:

Reason Software Company Inc.

Integrity Level:

SYSTEM

Description:

rsEngineSvc

Version:

3.2.0.0

3404

"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe

—

UnifiedStub-installer.exe

User:

admin

Company:

Reason Cybersecurity Ltd.

Integrity Level:

HIGH

Description:

Reason EDR Service

Exit code:

Version:

2.1.0

3412

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3776

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

wevtutil.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

3868

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

rsSyncSvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

27 681

Read events

27 539

Write events

109

Delete events

Modification events


(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.zip
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

Add for printing

Executable files

507

Suspicious files

115

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
8112	48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe	C:\Users\admin\AppData\Local\Temp\is-R415F.tmp\48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp		executable
		MD5:DD40149397C65DB7E46877143552AAC5	SHA256:F4E460EDDF3D8408AE887AC53FE96906A3B534D99A5FD9C3FE7777948293D1F7
7684	48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp	C:\Users\admin\AppData\Local\Temp\is-1KONN.tmp\logo.png		image
		MD5:5078AAB74E06AA597E66D92C9DBFE5FD	SHA256:597EF7036D93670839F088C50328673AE7B8532F276CAB6BB33F1FD2C568D7DA
6932	Taskmgr.exe	C:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock		text
		MD5:F49655F856ACB8884CC0ACE29216F511	SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
6800	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6800.17474\48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.exe		executable
		MD5:3CB0739401D24B6BC0C65E337E15C104	SHA256:48053935A1B62D13F2A1301D42A3BE930BB4718E8476C32B5050512209FDB3BB
2648	lrjuem2a.exe	C:\Users\admin\AppData\Local\Temp\7zS85AD8AB4\BouncyCastle.Cryptography.dll		executable
		MD5:22A8DB8233A2FCFC493852AE9ECEBB94	SHA256:27504EDF2DADE4A83799C579179E72DAD089C6278895403D84206A1D027429EB
7684	48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp	C:\Users\admin\AppData\Local\Temp\is-1KONN.tmp\prod0		executable
		MD5:9EFB4669A19BFBDEB032BDC5F3F26382	SHA256:68FA3EA087ED3C9089BB648C95F3A53078AC4C962F5BC7369B16DD2B0E450DF8
7684	48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.tmp	C:\Users\admin\AppData\Local\Temp\is-1KONN.tmp\prod0.exe		executable
		MD5:9EFB4669A19BFBDEB032BDC5F3F26382	SHA256:68FA3EA087ED3C9089BB648C95F3A53078AC4C962F5BC7369B16DD2B0E450DF8
6940	prod0.exe	C:\Users\admin\AppData\Local\Temp\lrjuem2a.exe		executable
		MD5:062179B7A046F091EB962CFE5033AF4E	SHA256:D3A5919C470CEB6A4CED211312C78548F0BDA633AB81790C19C1C6B57C3E92B9
2648	lrjuem2a.exe	C:\Users\admin\AppData\Local\Temp\7zS85AD8AB4\de\Microsoft.Win32.TaskScheduler.resources.dll		executable
		MD5:F83D720B236576C7D1F9F55D3BB988F9	SHA256:6909A1C134D0285FBA2422A40EA0E65C1F0CA3C3EF2B94A1166015AF2A87780F
2648	lrjuem2a.exe	C:\Users\admin\AppData\Local\Temp\7zS85AD8AB4\da-DK\UnifiedStub.resources.dll		executable
		MD5:2A7A6A99B2C0182C895A986113B5361B	SHA256:D58C552C357CD8DF3AB396F861C4F9366A999168E3EF1C9731E0C9BCB0206BF2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3888	rsWSC.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQCeArDpSs6yEJyh6YNr4MLb	unknown	—	—	whitelisted
3888	rsWSC.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQRz3ETyLz2DaZTxGOH%2BA%2BjK7MkGAQUJGWTmAgB6E7U1kzqZFXhwPr7z7MCEAeSK29bdU5YKBXAnjHx1BY%3D	unknown	—	—	whitelisted
6276	rsEngineSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBq81UG1MnDOVNKqff0SSEz6JuZwQU6IPEM9fcnwycdpoKptTfh6ZeWO4CEzMAATXj8%2BWM%2BdRgn3UAAAABNeM%3D	unknown	—	—	whitelisted
6276	rsEngineSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAHN4xbodlbjNQAAAAAAAc%3D	unknown	—	—	whitelisted
6276	rsEngineSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
2276	rsEDRSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
2276	rsEDRSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAHN4xbodlbjNQAAAAAAAc%3D	unknown	—	—	whitelisted
2276	rsEDRSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBq81UG1MnDOVNKqff0SSEz6JuZwQU6IPEM9fcnwycdpoKptTfh6ZeWO4CEzMAATXj8%2BWM%2BdRgn3UAAAABNeM%3D	unknown	—	—	whitelisted
2276	rsEDRSvc.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl	unknown	—	—	whitelisted
2276	rsEDRSvc.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4716	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7856	svchost.exe	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7320	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4716	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3444	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	40.126.31.67 20.190.159.64 40.126.31.69 20.190.159.4 20.190.159.68 40.126.31.73 20.190.159.75 20.190.159.2	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.185.206	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
arc.msn.com	20.223.36.55	whitelisted
www.bing.com	92.123.104.40 92.123.104.38 92.123.104.37 92.123.104.44 92.123.104.33 92.123.104.35 92.123.104.32 92.123.104.36 92.123.104.43	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted
d11iilsblp9z11.cloudfront.net	143.204.205.21 143.204.205.88 143.204.205.208 143.204.205.105	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

48053935a1b62d13f2a1301d42a3be930bb4718e8476c32b5050512209fdb3bb.zip

90979AFF2B6FA2E3093EC593FB515DB7

DB0ECED45590225814E02DDA68BD8EDA3C2DB1D0

8FE3BFF7178B430314F38BAE4D49C21A0C57A09D76141B6FB82C72272D2DC372

98304:P9JYrWN+tCEJ0kQuwS1czc4ZOSAoXa8khHo80/VkLaTR5evK0M9EkqeEUO7aeXM6:P7FVt+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Changes the autorun value in the registry

Creates a writable file in the system directory

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads the date of Windows installation

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executes application which crashes

Searches for installed software

Creates a software uninstall entry

Drops 7-zip archiver for unpacking

Executes as Windows Service

The process creates files with name similar to system file names

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Creates or modifies Windows services

Creates files in the driver directory

Uses RUNDLL32.EXE to load library

Checks Windows Trust Settings

Adds/modifies Windows certificates

Reads the BIOS version

Process checks is Powershell's Script Block Logging on

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Process checks computer location settings

Disables trace logs

Reads Environment values

Creates files or folders in the user directory

Creates files in the program directory

.NET Reactor protector has been detected

Reads the time zone

Reads CPU info

Reads product name

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Modules

Information

Information

Modules

Information

Modules

Information

Information

Information

Modules