File name:

LuLUoTPN.zip

Full analysis: https://app.any.run/tasks/7bc33bdb-e3b1-4d7e-a51d-889a496290fd
Verdict: Malicious activity
Analysis date: November 24, 2024, 12:13:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

336AE4F91BDAAB9FD548A0BB96E85BF3

SHA1:

9E30716EC6E7C9D1F099E4AE685FC9E4ECB51606

SHA256:

B9068030CEDBF08F1149951AD6AFDDE65025383E3D27E2123ECE23F6363DDE51

SSDEEP:

98304:2hsXk7/vms4XL0ZqdCZN8x4AImf0AMliFaeBFAvQa5CwDXP9XIdqDdv9AjGwE7SJ:CJNdlss8UTuhWHuFa+qk2m0oJyfcPoCn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 5548)

    • Process drops SQLite DLL files

      • WinRAR.exe (PID: 5548)
      • mdnsresponder.exe (PID: 2164)

    • Executable content was dropped or overwritten

      • mdnsresponder.exe (PID: 2164)

    • Starts application with an unusual extension

      • mdnsresponder.exe (PID: 2164)
      • mdnsresponder.exe (PID: 420)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:12:12 03:55:22
ZipCRC: 0x421f0eab
ZipCompressedSize: 100323
ZipUncompressedSize: 234528
ZipFileName: HEIC_DLL_v142.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe mdnsresponder.exe more.com no specs conhost.exe no specs msiexec.exe mdnsresponder.exe no specs more.com no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420"C:\Users\admin\AppData\Local\Temp\Rar$EXa5548.34876\mdnsresponder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5548.34876\mdnsresponder.exeWinRAR.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
iTop Data Recovery Service
Exit code:
1
Version:
4.0.0.168
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5548.34876\mdnsresponder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1944C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.commdnsresponder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
2164"C:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\mdnsresponder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\mdnsresponder.exe
WinRAR.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
iTop Data Recovery Service
Exit code:
1
Version:
4.0.0.168
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5548.25023\mdnsresponder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2380C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.commdnsresponder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
2612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5548"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\LuLUoTPN.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6056C:\WINDOWS\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe
more.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\hbruwphrwnitsa
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 979
Read events
4 971
Write events
8
Delete events
0

Modification events

(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\LuLUoTPN.zip
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5548) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
154
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\HEIC_DLL_v142.dllexecutable
MD5:A706480C10F094BBCE144E92A48A9E63
SHA256:27D4A7C49206D81B0BCDBD2922C0A1BC36177ECB315041233126B654A78A8A86
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\NetSparkle.UI.WPF.dllexecutable
MD5:4C79D38CE8A0136F2B4F584D4078A4E4
SHA256:CA31447971DF4F5D93FE3325EA750544C40C81E597972CF58D6E3CA9BBF727B6
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\HtmlRenderer.PdfSharp.dllexecutable
MD5:F8730360B74E1FBFD46B6EC8E4209ACC
SHA256:BDDC95E5EED0A68A54FCF2DFA99548642966DFDBF9B91940FF028E1EBF0ACDBD
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\Manifest-Operations-Shared.dllexecutable
MD5:974953859D720C9ADF8827E9EE70575D
SHA256:E52B25435D9F626750A2B2DBE31918CD7A32C66809BA2CD50D92E12C9AF8D0E4
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\HEIC-NET.dllexecutable
MD5:F71EAB315B80F78427311034A6BB46E2
SHA256:4F27E6E32F1DFF1BC6B0F4E79B32A07DA5554844CE4820A7920E5107C67F2F40
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\Microsoft.Web.WebView2.WinForms.dllexecutable
MD5:46128473A0B3ECAA7C8980B1F8DB78DA
SHA256:9BAC64579FB676AA77D79CB469FFD4F9F69A64EF0838F52DD1AF87931924F913
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\HtmlRenderer.dllexecutable
MD5:5CBE9851C19E0E20E503C5445A362BD4
SHA256:DB83DF8E7C877FFB0916C14C9AD6D31FD4C27CAA8CF70FEE780F6FEE15A81640
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\Microsoft.Xaml.Behaviors.dllexecutable
MD5:EC5A1ABEE150ABE698689211B07CD1EC
SHA256:B864DA9D88414877CEA9B1A016146265A5FB9D0E12F4DBB1DCCC0CC998119A54
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\Microsoft.Win32.Primitives.dllexecutable
MD5:76B8D417C2F6416FA81EACC45977CEA2
SHA256:5EAA2E82A26B0B302280D08F54DC9DA25165DD0E286BE52440A271285D63F695
5548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5548.25023\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:39069FA58D5BA0B2B4C6F55864DADCB6
SHA256:D41B57A535EB6B4D78264DCEDAE2C635B1640B43EC05B82091A7DE9937C340D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
26
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5892
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
17.1 Kb
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
2 b
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
15 b
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
15 b
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
15 b
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
15 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5892
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5892
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.144
  • 104.126.37.186
  • 104.126.37.145
  • 104.126.37.130
  • 104.126.37.179
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.131
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
sturdy-operated.cyou
  • 172.67.193.71
  • 104.21.20.178
unknown
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LuLUoTPN.zip