File name:	ST_Internal_Free.zip
Full analysis:	https://app.any.run/tasks/0d2ebdf1-ba99-41cc-87bf-3df29d2acec6
Verdict:	Malicious activity
Analysis date:	April 19, 2025, 17:46:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc themida
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	FA474337236AC6899A3091817E427C5A
SHA1:	E7DCDF2231C025D4CF75912F2AA717DE792D754F
SHA256:	B70358C812B1AAEC8BD68F901019BEA3009192A121F158500F6FC5AA2184C144
SSDEEP:	196608:36ze6mkPcML9qSKgC8L8cIvv25izrvO/0kMppegtCIyw:36htDJJKgC8IcI25C+0hpsg+w

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:02:20 00:31:14
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	ST_Internal_Free/


(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\ST_Internal_Free.zip
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6028) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2284) ST_Internal_Loader(V14).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2284) ST_Internal_Loader(V14).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
7152	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\DeferredBrowserMetrics\BrowserMetrics-6803E1AB-1BF0.pma		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11391e.TMP		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11393d.TMP		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF11393d.TMP		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11395c.TMP		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
4464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF113a95.TMP		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=dCVroNgBrGFX%2Bx5rBkGCtVYq1JB4yEnsa%2BLRLlv7qCoVx0gpTDqA2tb8sNQf7%2BKjpeBopmVOJdWaLPB%2BF%2FvG1dY9EDwym0kQs1oB4GMR6tTYIkM0EE9pzPc87jeJhfpejBG31LyNIX9k	unknown	—	—	—
—	—	GET	200	104.16.79.73:443	https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015	unknown	—	—	—
2104	svchost.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	binary	585 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	5.55 Kb	whitelisted
—	—	GET	200	104.16.80.73:443	https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015	unknown	—	—	—
—	—	GET	200	150.171.28.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	132 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.20:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.216.77.20:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4464	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
5600	msedge.exe	150.171.28.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5600	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.216.77.20 23.216.77.28 23.216.77.41 23.216.77.25 23.216.77.42 23.216.77.30 23.216.77.38 23.216.77.22 23.216.77.18	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	150.171.28.11 150.171.27.11	whitelisted
www.staffbesting.store	104.21.24.184 172.67.219.229	unknown
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
business.bing.com	13.107.6.158	whitelisted
a.nel.cloudflare.com	35.190.80.1	whitelisted
www.bing.com	2.16.204.150 2.16.204.138 2.16.204.152 2.16.204.145 2.16.204.146 2.16.204.157 2.16.204.139 2.16.204.148 2.16.204.156 2.16.204.135 2.16.204.160 2.16.204.151	whitelisted

PID	Process	Class	Message
5600	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
5600	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
5600	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
5600	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
5600	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
5600	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
5600	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
5600	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

General Info

ST_Internal_Free.zip

FA474337236AC6899A3091817E427C5A

E7DCDF2231C025D4CF75912F2AA717DE792D754F

B70358C812B1AAEC8BD68F901019BEA3009192A121F158500F6FC5AA2184C144

196608:36ze6mkPcML9qSKgC8L8cIvv25izrvO/0kMppegtCIyw:36htDJJKgC8IcI25C+0hpsg+w

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the BIOS version

Starts CMD.EXE for commands execution

INFO

Reads security settings of Internet Explorer

Reads the computer name

Manual execution by a user

Creates files in the program directory

Application launched itself

Checks supported languages

Process checks whether UAC notifications are on

Reads Environment values

Themida protector has been detected

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings