File name:	93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7
Full analysis:	https://app.any.run/tasks/952dac1c-3bd3-4e76-8c5c-f84248a87b5a
Verdict:	Malicious activity
Analysis date:	February 17, 2025, 14:19:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc github
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	1B11867E6C2C94A121B90F448FF89949
SHA1:	2A99BE04FF50278100CE15C608BFB7D7D862CAF1
SHA256:	93A9942D83FCF3CBAFF77D94328976BA9ACD5368275B7E3BAEACA9745EA4B6E7
SSDEEP:	49152:rktSlAf4zkaHhpza1Fz5N08XG6mF7lxel8eeWnMYssnJNfJ9idJn5nN4v914j322:rk0Sf4zkaBpza1FtNTXG68il8LhYssJ4

.xpi	\|	Mozilla Firefox browser extension (66.6)
.zip	\|	ZIP compressed archive (33.3)

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:11:07 15:00:14
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	??室/bin/


(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\bin\quic_initial_www_google_com.bin		binary
		MD5:312526D39958D89B1F8AB67789AB985F	SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\bin\WinDivert.dll		executable
		MD5:B2014D33EE645112D5DC16FE9D9FCBFF	SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\discord.bat		text
		MD5:C01056F88C8646CAB2D85A31F44F1186	SHA256:21ADF614F58D39396C49BF10AE3F6187905F328E24D7363372D299F821D18CF6
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\general (ALT5).bat		text
		MD5:DC9657042904B682CDCF34B8AC732168	SHA256:AD49282AF6FC53DA5CC11FFB91C8A3D276B711695AE2777262BEC2685424FB03
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\general.bat		text
		MD5:1F9E2279F96B01B8C1723B77DB9FC8B8	SHA256:AF7CA78237DD2E3E66D581EBBA166DC19D4EF7E02A269FB7A26D079592C72479
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\general (ALT3).bat		text
		MD5:6E0FD8729815F1941C5FD4016C888EC5	SHA256:198FDA8A2FC02A4A501F13B67D1232DFCB3157075D3AB76494D17C64742E82D3
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\general (ALT).bat		text
		MD5:F2DFDB0EC74378D6DEFC004BCFCEE491	SHA256:ADFA52BEACE1FF288D2CC20D6814E8EB04FAE5A9256B600C402F91AB94AF5886
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\bin\cygwin1.dll		executable
		MD5:C50B50303FAE4AFE7248307339A00D13	SHA256:712C39A069541AFA69CFCBE01B422BD67B4201EEE7E94CC1327D4ED8B4FA2167
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\bin\winws.exe		executable
		MD5:444FE359CA183016B93D8BFE398D5103	SHA256:0453FCE6906402181DBFF7E09B32181EB1C08BB002BE89849E8992B832F43B89
3816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3816.29832\93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7.zip\«ís«ñ\check_updates.bat		text
		MD5:C0AF479B986A7E2095929A68136CD97C	SHA256:438ADFB9F66429E1B6B0474FE0CDBD397098D58C4B80FF2C74237C6F9B99DF23

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5392	svchost.exe	GET	200	2.16.164.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5392	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	—	140.82.121.3:443	https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/refs/heads/main/.service/version.txt	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.19.96.90:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5392	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.17:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5392	svchost.exe	2.16.164.17:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5392	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
www.bing.com	2.19.96.90 2.19.96.83 2.19.96.129 2.19.96.120 2.19.96.66	whitelisted
google.com	142.250.186.46	whitelisted
crl.microsoft.com	2.16.164.17 2.16.164.40 2.16.164.34 2.16.164.24 2.16.164.106 2.16.164.72	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.109.133 185.199.110.133 185.199.108.133	whitelisted
self.events.data.microsoft.com	13.89.179.10	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

93a9942d83fcf3cbaff77d94328976ba9acd5368275b7e3baeaca9745ea4b6e7

1B11867E6C2C94A121B90F448FF89949

2A99BE04FF50278100CE15C608BFB7D7D862CAF1

93A9942D83FCF3CBAFF77D94328976BA9ACD5368275B7E3BAEACA9745EA4B6E7

49152:rktSlAf4zkaHhpza1Fz5N08XG6mF7lxel8eeWnMYssnJNfJ9idJn5nN4v914j322:rk0Sf4zkaBpza1FtNTXG68il8LhYssJ4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Detects Cygwin installation

Starts NET.EXE for service management

SUSPICIOUS

Drops a system driver (possible attempt to evade defenses)

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Starts application with an unusual extension

Starts process via Powershell

Starts POWERSHELL.EXE for commands execution

Application launched itself

Hides command output

Starts SC.EXE for service management

Windows service management via SC.EXE

Creates a new Windows service

INFO

Executable content was dropped or overwritten

The sample compiled with english language support

Manual execution by a user

Reads the computer name

Changes the display of characters in the console

Create files in a temporary directory

Checks supported languages

Disables trace logs

Script raised an exception (POWERSHELL)

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings