File name:

MP.zip

Full analysis: https://app.any.run/tasks/affd2777-1bf3-4c5b-a61b-389043d0feed
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 02:13:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
delphi
enigma
antivm
modiloader
loader
upx
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

A9FEF0E9ED1D9CFF42396BFBD9B36A99

SHA1:

DB6578F81F792FFC71D8FE58DD72853CFB224C42

SHA256:

B68DE2C09650A5C738E1BC123B3A101D7632B6A37860E3EBC1921555BBA8945A

SSDEEP:

98304:wgBv3AqCsn/u4Zlvo+DCQMY5MEOuceogxHfCjy2PCwxIWK8FgTrqfDVvEmiJefLt:NDRo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1604)

    • MODILOADER mutex has been found

      • AdobeART.exe (PID: 3944)

    • Changes the autorun value in the registry

      • AdobeART.exe (PID: 3944)

  • SUSPICIOUS

    • There is functionality for VM detection VirtualBox (YARA)

      • MP-Tools.exe (PID: 4684)
      • MP-Tools.exe (PID: 1936)

    • There is functionality for taking screenshot (YARA)

      • MP-Tools.exe (PID: 4684)
      • MP-Tools.exe (PID: 1936)

    • Reads security settings of Internet Explorer

      • MP-Tools.exe (PID: 4684)
      • Build.exe (PID: 6012)

    • Executable content was dropped or overwritten

      • upx.exe (PID: 4708)
      • MP-Tools.exe (PID: 4684)
      • Build.exe (PID: 6012)

    • Starts itself from another location

      • Build.exe (PID: 6012)

    • There is functionality for communication over UDP network (YARA)

      • AdobeART.exe (PID: 3944)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1604)

    • Enigma protector has been detected

      • MP-Tools.exe (PID: 4684)
      • MP-Tools.exe (PID: 1936)

    • Checks supported languages

      • MP-Tools.exe (PID: 4684)
      • upx.exe (PID: 4708)
      • Build.exe (PID: 6012)
      • AdobeART.exe (PID: 3944)
      • MP-Tools.exe (PID: 7124)
      • MP-Tools.exe (PID: 1936)

    • Manual execution by a user

      • MP-Tools.exe (PID: 4684)
      • Build.exe (PID: 6012)
      • Taskmgr.exe (PID: 5560)
      • MP-Tools.exe (PID: 7124)
      • Taskmgr.exe (PID: 6176)
      • MP-Tools.exe (PID: 1936)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1604)

    • Reads the computer name

      • MP-Tools.exe (PID: 4684)
      • Build.exe (PID: 6012)
      • MP-Tools.exe (PID: 7124)
      • AdobeART.exe (PID: 3944)
      • MP-Tools.exe (PID: 1936)

    • Compiled with Borland Delphi (YARA)

      • MP-Tools.exe (PID: 4684)
      • MP-Tools.exe (PID: 1936)

    • Process checks computer location settings

      • MP-Tools.exe (PID: 4684)
      • Build.exe (PID: 6012)

    • Creates files or folders in the user directory

      • Build.exe (PID: 6012)

    • Launching a file from a Registry key

      • AdobeART.exe (PID: 3944)

    • UPX packer has been detected

      • AdobeART.exe (PID: 3944)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 6176)

    • Checks proxy server information

      • slui.exe (PID: 1028)

    • Reads the software policy settings

      • slui.exe (PID: 1028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:06:20 22:12:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MP/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
12
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs mp-tools.exe slui.exe upx.exe conhost.exe no specs build.exe #MODILOADER adobeart.exe mp-tools.exe no specs taskmgr.exe no specs taskmgr.exe mp-tools.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1604"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\MP.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1936"C:\Users\admin\Desktop\MP\MP-Tools.exe" C:\Users\admin\Desktop\MP\MP-Tools.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\mp\mp-tools.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3944"C:\Users\admin\AppData\Roaming\AdobeART.exe" C:\Users\admin\AppData\Roaming\AdobeART.exe
Build.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\adobeart.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4684"C:\Users\admin\Desktop\MP\MP-Tools.exe" C:\Users\admin\Desktop\MP\MP-Tools.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\mp\mp-tools.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4708"C:\Users\admin\Desktop\MP\Data\upx.exe" "C:\Users\admin\Desktop\MP\Build.exe"C:\Users\admin\Desktop\MP\Data\upx.exe
MP-Tools.exe
User:
admin
Company:
The UPX Team http://upx.sf.net
Integrity Level:
MEDIUM
Description:
UPX executable packer
Exit code:
0
Version:
3.07 (2010-09-08)
Modules
Images
c:\users\admin\desktop\mp\data\upx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeupx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5560"C:\WINDOWS\system32\taskmgr.exe" /7C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
5600C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6012"C:\Users\admin\Desktop\MP\Build.exe" C:\Users\admin\Desktop\MP\Build.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\mp\build.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
6 408
Read events
6 386
Write events
21
Delete events
1

Modification events

(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\MP.zip
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1604) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3944) AdobeART.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AdobeART
Value:
C:\Users\admin\AppData\Roaming\AdobeART.exe
(PID) Process:(3944) AdobeART.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AdobeART
Value:
C:\Users\admin\AppData\Roaming\AdobeART.exe
Executable files
9
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.33195\MP\Data\Settings.initext
MD5:609316B918A9AA02F455D320A98550EA
SHA256:5153800E4E679B522B834EACC9DE172BBFFAD30230BF00C9A8EDF4046807EFA5
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.33195\MP\Data\GeoIP.datbinary
MD5:C6D371AC18598838B61750E874E64400
SHA256:03B4F8ACA1E4AB4FE526997FDFBE70FDC2CCA84FD95728716F7653173B48130B
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.33195\MP\MP-Tools.exeexecutable
MD5:2EA9A771E49DF4EEE2CE5FC8C1AC3504
SHA256:F7B11E7765F205150735C87B0ED0DBFBBC8A4382B1869FA0095DC9514A485B04
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.33195\MP\Data\Stub.mpexecutable
MD5:A50930FFFED3B5D075E53A4EE93FE0FC
SHA256:C7F4111B8D1F6201428027EAC96AD6A54FF7BE3BC804BE0C05980F22D4EA3765
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.33195\MP\Data\upx.exeexecutable
MD5:308F709A8F01371A6DD088A793E65A5F
SHA256:C0F9FAFFDF14AB2C853880457BE19A237B10F8986755F184ECFE21670076CB35
4684MP-Tools.exeC:\Users\admin\Desktop\MP\RCX78A6.tmpexecutable
MD5:00DF2389B17B5F4E9A65545501DD1338
SHA256:00A7F6577320FFB19471C77175F56D5444D6BA495493BF4C1020670834F987BE
4684MP-Tools.exeC:\Users\admin\Desktop\MP\Build.exeexecutable
MD5:A50930FFFED3B5D075E53A4EE93FE0FC
SHA256:C7F4111B8D1F6201428027EAC96AD6A54FF7BE3BC804BE0C05980F22D4EA3765
6012Build.exeC:\Users\admin\AppData\Roaming\AdobeART.exeexecutable
MD5:4F0169240832EB34235F3255AB4173C4
SHA256:69955378347FB4C8884A7629AEA7AF65021255C180273B54818489A4894D3438
4708upx.exeC:\Users\admin\Desktop\MP\Build.exeexecutable
MD5:4F0169240832EB34235F3255AB4173C4
SHA256:69955378347FB4C8884A7629AEA7AF65021255C180273B54818489A4894D3438
4708upx.exeC:\Users\admin\Desktop\MP\Build.upxexecutable
MD5:4F0169240832EB34235F3255AB4173C4
SHA256:69955378347FB4C8884A7629AEA7AF65021255C180273B54818489A4894D3438
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6304
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6304
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5240
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3876
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
184.25.50.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6304
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.25.50.8
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.14
  • 40.126.32.140
  • 20.190.160.66
  • 20.190.160.2
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MP.zip