File name:

Archive.zip

Full analysis: https://app.any.run/tasks/237dd3dd-0b32-4b16-90ec-d60014e42d04
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: January 17, 2025, 14:23:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
cobaltstrike
xor-url
generic
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

E36EA7B4FC51F485DE55CAC57778E7B1

SHA1:

15D8AFC5DEB5AD565BB08990A168BFC93D944A6E

SHA256:

B5E13EB0D3A161937554CC8AA1C129DFEAECFDD5E98FA7A7D8EB656627A17F8F

SSDEEP:

768:4IfTk6Xl7YzEeUNtZNssdO4zU4Pm0u9O97z5zGEoKH5iCS3xuMiRU:9fXezuxE9O9z5qhfiq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6360)

    • XORed URL has been found (YARA)

      • open.exe (PID: 6932)
      • open.exe (PID: 2600)
      • open.exe (PID: 6244)

    • COBALTSTRIKE has been detected (YARA)

      • open.exe (PID: 6932)
      • open.exe (PID: 2600)
      • open.exe (PID: 6244)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6360)
      • open.exe (PID: 6932)
      • open.exe (PID: 2600)
      • open.exe (PID: 6244)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6360)

    • Starts a Microsoft application from unusual location

      • open.exe (PID: 6932)
      • open.exe (PID: 6116)
      • open.exe (PID: 2600)
      • open.exe (PID: 6868)
      • open.exe (PID: 7124)
      • open.exe (PID: 6244)
      • open.exe (PID: 7104)

    • Checks Windows Trust Settings

      • open.exe (PID: 6932)
      • open.exe (PID: 2600)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 4672)

    • Executes application which crashes

      • open.exe (PID: 6116)

    • Start notepad (likely ransomware note)

      • open.exe (PID: 6868)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6360)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6360)

    • Reads the computer name

      • open.exe (PID: 6932)
      • open.exe (PID: 6116)

    • Disables trace logs

      • open.exe (PID: 6932)

    • Checks proxy server information

      • open.exe (PID: 6932)
      • open.exe (PID: 2600)
      • open.exe (PID: 6244)

    • Checks supported languages

      • open.exe (PID: 6932)
      • open.exe (PID: 6116)

    • Reads the machine GUID from the registry

      • open.exe (PID: 6932)
      • open.exe (PID: 6116)
      • open.exe (PID: 7124)
      • open.exe (PID: 2600)
      • open.exe (PID: 6244)

    • Reads the software policy settings

      • open.exe (PID: 6932)
      • open.exe (PID: 2600)

    • Manual execution by a user

      • cmd.exe (PID: 4672)
      • notepad++.exe (PID: 7052)
      • notepad++.exe (PID: 1544)
      • open.exe (PID: 6116)
      • open.exe (PID: 2600)
      • notepad++.exe (PID: 5728)
      • notepad++.exe (PID: 6816)
      • open.exe (PID: 6868)
      • notepad++.exe (PID: 4816)
      • open.exe (PID: 7124)
      • notepad++.exe (PID: 1944)
      • open.exe (PID: 6244)
      • open.exe (PID: 7104)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6360)

    • Sends debugging messages

      • notepad++.exe (PID: 7052)
      • notepad++.exe (PID: 1544)
      • notepad++.exe (PID: 5728)
      • notepad++.exe (PID: 6816)
      • notepad++.exe (PID: 4816)
      • notepad++.exe (PID: 1944)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4652)

    • Create files in a temporary directory

      • open.exe (PID: 6868)
      • open.exe (PID: 6244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6932) open.exe
Decrypted-URLs (1)https://sharepoint.com/
(PID) Process(2600) open.exe
Decrypted-URLs (1)https://sharepoint.com/
(PID) Process(6244) open.exe
Decrypted-URLs (1)https://sharepoint.com/

CobalStrike

(PID) Process(6932) open.exe
C2 (1)dtgx9t4lk0.execute-api.ca-central-1.amazonaws.com/files/odsp-web-prod_2021-02-26_2021/sitehubwebpack/63.chunk.js
BeaconTypeHTTPS
Port443
SleepTime60000
MaxGetSize2801642
Jitter25
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFww9hCrQX3TVTPEKE9YOPf5K H8sUqNtiJagA4bzRJ/kK24TuMH6Sq2ws6Kdbh/iwmNg+OQcgqj6J3bPp9nDn9ieo c2P/TWS1H5563vphEAzo6SJL2nEoILhIKeiFyNjIbwfEqzk8sNbQClF/90GUWFCr /JWK6dvht/6yM62yDQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\werfault.exe -s -t 3332 -i 1286 -o 0
Spawnto_x64%windir%\system32\werfault.exe -s -t 3364 -i 1284 -o 0
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark889678875
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
HttpPostUri/_forms/default.aspx
Malleable_C2_InstructionsRemove 5434 bytes from the beginning, Base64 decode, XOR mask w/ random key
HttpGet_Metadata
ConstHeaders (4)Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://sharepoint.com/
Accept-Encoding: gzip, deflate
SessionId (3)base64
prepend: __cfduid=
header: Cookie
HttpPost_Metadata
ConstHeaders (2)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
SessionId (3)mask
base64url
parameter: __cfduid
Output (3)mask
base64url
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize18000
ProcInject_PrependAppend_x869090..
ProcInject_PrependAppend_x649090..
ProcInject_Stub29b180d316c59ea2bfb9a4714c1e529f
ProcInject_AllocationMethodNtMapViewOfSection
(PID) Process(2600) open.exe
C2 (1)dtgx9t4lk0.execute-api.ca-central-1.amazonaws.com/files/odsp-web-prod_2021-02-26_2021/sitehubwebpack/63.chunk.js
BeaconTypeHTTPS
Port443
SleepTime60000
MaxGetSize2801642
Jitter25
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFww9hCrQX3TVTPEKE9YOPf5K H8sUqNtiJagA4bzRJ/kK24TuMH6Sq2ws6Kdbh/iwmNg+OQcgqj6J3bPp9nDn9ieo c2P/TWS1H5563vphEAzo6SJL2nEoILhIKeiFyNjIbwfEqzk8sNbQClF/90GUWFCr /JWK6dvht/6yM62yDQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\werfault.exe -s -t 3332 -i 1286 -o 0
Spawnto_x64%windir%\system32\werfault.exe -s -t 3364 -i 1284 -o 0
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark889678875
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
HttpPostUri/_forms/default.aspx
Malleable_C2_InstructionsRemove 5434 bytes from the beginning, Base64 decode, XOR mask w/ random key
HttpGet_Metadata
ConstHeaders (4)Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://sharepoint.com/
Accept-Encoding: gzip, deflate
SessionId (3)base64
prepend: __cfduid=
header: Cookie
HttpPost_Metadata
ConstHeaders (2)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
SessionId (3)mask
base64url
parameter: __cfduid
Output (3)mask
base64url
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize18000
ProcInject_PrependAppend_x869090..
ProcInject_PrependAppend_x649090..
ProcInject_Stub29b180d316c59ea2bfb9a4714c1e529f
ProcInject_AllocationMethodNtMapViewOfSection
(PID) Process(6244) open.exe
C2 (1)dtgx9t4lk0.execute-api.ca-central-1.amazonaws.com/files/odsp-web-prod_2021-02-26_2021/sitehubwebpack/63.chunk.js
BeaconTypeHTTPS
Port443
SleepTime60000
MaxGetSize2801642
Jitter25
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFww9hCrQX3TVTPEKE9YOPf5K H8sUqNtiJagA4bzRJ/kK24TuMH6Sq2ws6Kdbh/iwmNg+OQcgqj6J3bPp9nDn9ieo c2P/TWS1H5563vphEAzo6SJL2nEoILhIKeiFyNjIbwfEqzk8sNbQClF/90GUWFCr /JWK6dvht/6yM62yDQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\werfault.exe -s -t 3332 -i 1286 -o 0
Spawnto_x64%windir%\system32\werfault.exe -s -t 3364 -i 1284 -o 0
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark889678875
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
HttpPostUri/_forms/default.aspx
Malleable_C2_InstructionsRemove 5434 bytes from the beginning, Base64 decode, XOR mask w/ random key
HttpGet_Metadata
ConstHeaders (4)Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://sharepoint.com/
Accept-Encoding: gzip, deflate
SessionId (3)base64
prepend: __cfduid=
header: Cookie
HttpPost_Metadata
ConstHeaders (2)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
SessionId (3)mask
base64url
parameter: __cfduid
Output (3)mask
base64url
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize18000
ProcInject_PrependAppend_x869090..
ProcInject_PrependAppend_x649090..
ProcInject_Stub29b180d316c59ea2bfb9a4714c1e529f
ProcInject_AllocationMethodNtMapViewOfSection
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2022:08:09 16:06:38
ZipCRC: 0x309539a3
ZipCompressedSize: 34987
ZipUncompressedSize: 99800
ZipFileName: open.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
20
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #COBALTSTRIKE open.exe cmd.exe no specs conhost.exe no specs rundll32.exe no specs rundll32.exe no specs notepad++.exe notepad++.exe open.exe werfault.exe notepad++.exe #COBALTSTRIKE open.exe notepad++.exe open.exe no specs notepad.exe no specs notepad++.exe open.exe no specs #COBALTSTRIKE open.exe notepad++.exe open.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1544"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\open.exe.config"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1944"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\open.exe.config"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2600"C:\Users\admin\Desktop\open.exe" C:\Users\admin\Desktop\open.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual Studio Web Protocol Handler
Version:
17.0.32630.84 built by: D17.2
Modules
Images
c:\users\admin\desktop\open.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
xor-url
(PID) Process(2600) open.exe
Decrypted-URLs (1)https://sharepoint.com/
CobalStrike
(PID) Process(2600) open.exe
C2 (1)dtgx9t4lk0.execute-api.ca-central-1.amazonaws.com/files/odsp-web-prod_2021-02-26_2021/sitehubwebpack/63.chunk.js
BeaconTypeHTTPS
Port443
SleepTime60000
MaxGetSize2801642
Jitter25
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYFww9hCrQX3TVTPEKE9YOPf5K H8sUqNtiJagA4bzRJ/kK24TuMH6Sq2ws6Kdbh/iwmNg+OQcgqj6J3bPp9nDn9ieo c2P/TWS1H5563vphEAzo6SJL2nEoILhIKeiFyNjIbwfEqzk8sNbQClF/90GUWFCr /JWK6dvht/6yM62yDQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\werfault.exe -s -t 3332 -i 1286 -o 0
Spawnto_x64%windir%\system32\werfault.exe -s -t 3364 -i 1284 -o 0
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark889678875
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
HttpPostUri/_forms/default.aspx
Malleable_C2_InstructionsRemove 5434 bytes from the beginning, Base64 decode, XOR mask w/ random key
HttpGet_Metadata
ConstHeaders (4)Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://sharepoint.com/
Accept-Encoding: gzip, deflate
SessionId (3)base64
prepend: __cfduid=
header: Cookie
HttpPost_Metadata
ConstHeaders (2)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
SessionId (3)mask
base64url
parameter: __cfduid
Output (3)mask
base64url
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize18000
ProcInject_PrependAppend_x869090..
ProcInject_PrependAppend_x649090..
ProcInject_Stub29b180d316c59ea2bfb9a4714c1e529f
ProcInject_AllocationMethodNtMapViewOfSection
4300"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\VSWebHandler_1f043b14-21e9-46a0-a0fe-3abe3d3ddabd.logC:\Windows\SysWOW64\notepad.exeopen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
4652C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6116 -s 916C:\Windows\SysWOW64\WerFault.exe
open.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4672"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
4816"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\open.exe.config"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\msvcp_win.dll
4984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5728"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\open.exe.config"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
6116"C:\Users\admin\Desktop\open.exe" C:\Users\admin\Desktop\open.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual Studio Web Protocol Handler
Exit code:
3762504530
Version:
17.0.32630.84 built by: D17.2
Modules
Images
c:\users\admin\desktop\open.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
10 854
Read events
10 830
Write events
24
Delete events
0

Modification events

(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Archive.zip
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6360) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6932) open.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\open_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6932) open.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\open_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
4
Suspicious files
8
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6360.15793\open.exeexecutable
MD5:82349437F03ECC5F72759578A02FAD8C
SHA256:228FB35C3E6B2217812DA58F4EF5CBC8E1F54BA359CF398EE0AA3A8F128BA18A
4652WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_open.exe_9a5d5ae7ad3ee0dc47dd76f8b93063d73d456_f3b9d125_e8960bbd-d9d9-41ad-82a8-cfeb03bc4cb5\Report.wer
MD5:
SHA256:
4652WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\open.exe.6116.dmp
MD5:
SHA256:
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6360.15793\__MACOSX\._userenviron.dllbinary
MD5:71878B82813295E23B7C3D9819238FA7
SHA256:54D2C586DE97D116C6916868C2262BCF1D403600AEEE19B5046721B987B4847D
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6360.15793\userenviron.dllexecutable
MD5:4415091695A582761C964D4E12789837
SHA256:B7E97BEC490823EDEE53BE2844A6F8CF1CCA5138DCA08F5E720CCE4EBFFA7AFC
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6360.15793\open.exe.configtext
MD5:501ACE99C9B54431F78D962E5D583280
SHA256:0D07A33691A2975B0627A8D62045F70E033BEDDF57F4B203B6344C3294145D71
6360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6360.17043\open.exeexecutable
MD5:82349437F03ECC5F72759578A02FAD8C
SHA256:228FB35C3E6B2217812DA58F4EF5CBC8E1F54BA359CF398EE0AA3A8F128BA18A
4652WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:4226B5F316AACE0E4166D809950C2DF1
SHA256:2F4F21A3F33769ED114EAEFD950094F08E93BB52FCC0EAB0A7CA9227C7B59FB3
4652WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9CBC.tmp.WERInternalMetadata.xmlxml
MD5:D8CDFF4C09176CC0596747F80F519994
SHA256:0A6B393D5D5921A56AC267F2D96F55B1676B02D168164D8ACF9A53C7BD502E24
7052notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:312281C4126FA897EF21A7E8CCB8D495
SHA256:53B4BE3ED1CFD712E53542B30CFE30C5DB35CC48BE7C57727DFEC26C9E882E90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
57
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5872
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4652
WerFault.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5872
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6316
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4652
WerFault.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
904
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
69.192.162.125:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6932
open.exe
40.90.65.37:443
api-v2-session.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
904
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 69.192.162.125
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.4
whitelisted
api-v2-session.azureedge.net
  • 40.90.65.37
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
dtgx9t4lk0.execute-api.ca-central-1.amazonaws.com
  • 15.157.24.234
  • 3.98.26.52
  • 3.97.246.225
  • 3.97.19.228
shared
www.bing.com
  • 92.123.104.33
  • 92.123.104.35
  • 92.123.104.36
  • 92.123.104.31
  • 92.123.104.39
  • 92.123.104.32
  • 92.123.104.43
  • 92.123.104.37
  • 92.123.104.30
whitelisted
r.bing.com
  • 92.123.104.6
  • 92.123.104.15
  • 92.123.104.10
  • 92.123.104.5
  • 92.123.104.8
  • 92.123.104.12
  • 92.123.104.9
  • 92.123.104.14
  • 92.123.104.11
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Archive.zip