File name:

ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.zip

Full analysis: https://app.any.run/tasks/31498335-40f7-42c3-8544-de1e612abcc8
Verdict: Malicious activity
Analysis date: April 06, 2026, 12:29:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
susp-powershell
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

C90BAEB4BBDCF8863B65183B0F631772

SHA1:

7125D938B78EFFC4FEAB041068578FC365E8682D

SHA256:

949FA48B26A9A9C237FA1A2A86BD67B6BF8BA59CC709996AC7542370288A0CF5

SSDEEP:

6144:V2EM5RcMRbwH/uAjtnu0djjyASoEnOhku32VfCpDE+:V25+MRsH/BxuAjVSoEnCku32wK+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 2164)

    • Changes powershell execution policy (Bypass)

      • conhost.exe (PID: 6576)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 2164)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 2164)

    • Changes the login/logoff helper path in the registry

      • powershell.exe (PID: 2164)

  • SUSPICIOUS

    • Uses IEX to run payload from environment variable

      • powershell.exe (PID: 2164)
      • conhost.exe (PID: 6576)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 2684)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2164)

    • The process hide an interactive prompt from the user

      • conhost.exe (PID: 6576)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2684)

    • Manipulates environment variables

      • powershell.exe (PID: 2164)

    • The process bypasses the loading of PowerShell profile settings

      • conhost.exe (PID: 6576)

    • Executes script without checking the security policy

      • powershell.exe (PID: 2164)

    • Starts POWERSHELL.EXE for commands execution

      • conhost.exe (PID: 6576)

    • Writes data to a memory stream (POWERSHELL)

      • powershell.exe (PID: 2164)

  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 2684)

    • Generic archive extractor

      • WinRAR.exe (PID: 684)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2164)

    • Using PowerShell for GZIP File Operations

      • powershell.exe (PID: 2164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2026:04:06 12:29:20
ZipCRC: 0xbf5f2914
ZipCompressedSize: 198642
ZipUncompressedSize: 319878
ZipFileName: ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.js
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
278
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs conhost.exe no specs powershell.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2164powershell.exe -W H -NOP -NONI -Ep BYpAss -Command "iex $env:ERIhy3CRIF"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
conhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2684"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6576"C:\Windows\System32\conhost.exe" --headless powershell.exe -W H -NOP -NONI -Ep BYpAss -Command "iex $env:ERIhy3CRIF"C:\Windows\System32\conhost.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 382
Read events
10 360
Write events
22
Delete events
0

Modification events

(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.zip
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ifnv51mo.bi2.ps1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2164powershell.exeC:\Users\admin\AppData\Local\FilesizeBarcodeAdjusting\TeacherWeightsBriefings.jsbinary
MD5:C6AA614F76E0FAC91AEAFB2D692BF315
SHA256:CA04780ECAACE8602D75C8F928FD6274A7025D953EBCA9CE5EA2D7CE932F176F
2164powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:966AD25A497A0ECBE536BCC61104AA9D
SHA256:0F4CF0F869DD5281922D9B7C4408590E5F4BC2C171C5B41351C1C8B8ADA9A1C9
684WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb684.23742\ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.jstext
MD5:C6AA614F76E0FAC91AEAFB2D692BF315
SHA256:CA04780ECAACE8602D75C8F928FD6274A7025D953EBCA9CE5EA2D7CE932F176F
2164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sgaefif1.du3.psm1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
212
TCP/UDP connections
97
DNS requests
38
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2164
powershell.exe
GET
45.43.142.101:443
https://i.postimg.cc/PJMG3BXJ/image.png
FR
unknown
5316
svchost.exe
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
US
1.24 Kb
whitelisted
5316
svchost.exe
POST
400
40.126.29.10:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
203 b
whitelisted
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.29.10:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
203 b
whitelisted
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
7428
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5316
svchost.exe
POST
400
40.126.29.10:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
203 b
whitelisted
5316
svchost.exe
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
200
40.126.29.10:443
https://login.live.com/RST2.srf
US
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5484
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5632
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3428
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5316
svchost.exe
40.126.29.10:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5484
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2164
powershell.exe
45.43.142.101:443
i.postimg.cc
OVH
FR
whitelisted
5208
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
  • 48.192.1.65
whitelisted
google.com
  • 142.251.13.102
  • 142.251.13.101
  • 142.251.13.139
  • 142.251.13.100
  • 142.251.13.113
  • 142.251.13.138
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.29.10
  • 20.190.157.3
  • 20.190.157.14
  • 20.190.157.4
  • 20.190.157.2
  • 40.126.29.11
  • 20.190.157.12
  • 20.190.157.13
  • 20.190.160.20
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.136
  • 20.190.160.128
  • 40.126.32.138
  • 40.126.32.140
whitelisted
i.postimg.cc
  • 45.43.142.101
  • 46.105.222.82
  • 46.105.222.162
  • 46.105.222.81
  • 45.43.142.101
  • 46.105.222.161
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.165.94.54
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
INFO [ANY.RUN] .cc TLD domain request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ca04780ecaace8602d75c8f928fd6274a7025d953ebca9ce5ea2d7ce932f176f.zip