Malware analysis 123456.zip Malicious activity | ANY.RUN

Add for printing

File name:	123456.zip
Full analysis:	https://app.any.run/tasks/b244ccb4-cef8-4c28-b085-40f36a58916c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. Malware Trends Tracker >>>
Analysis date:	May 14, 2025, 16:06:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec sality sainbox rat autohotkey ahk loader upx
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	0307559D7952B37E6E435BA272E8A5C3
SHA1:	FA2E455C95394488B3A7D143576E30D4AE116DA6
SHA256:	C536FB60FA45D0BA75C082253CFDDECA2AB2C82A389D2E71A60394A7D36F27D2
SSDEEP:	49152:wWKF8A43Qha5Bf4zgisJf1uhcmXgLDDnyKxQaMscGWJaMscGWKSLudD/rXSRJwtS:ECgha5Kkisl1IcmXgztGaMscGMaMscGi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- SALITY mutex has been found
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- SAINBOX has been detected
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- Changes Security Center notification settings
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
- UAC/LUA settings modification
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
- AHK has been detected (YARA)
  - rundll32.exe (PID: 5892)
SUSPICIOUS
- Drops a file with a rarely used extension (PIF)
  - WinRAR.exe (PID: 4628)
- Mutex name with non-standard characters
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- Executable content was dropped or overwritten
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
  - rundll32.exe (PID: 5892)
- AUTOHOTKEY mutex has been found
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- Process drops legitimate windows executable
  - rundll32.exe (PID: 5892)
- There is functionality for taking screenshot (YARA)
  - rundll32.exe (PID: 5892)
- Starts itself from another location
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4628)
  - WinRAR.exe (PID: 4000)
- The sample compiled with english language support
  - WinRAR.exe (PID: 4628)
  - rundll32.exe (PID: 5892)
  - WinRAR.exe (PID: 4000)
- Checks supported languages
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- Reads the computer name
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- Manual execution by a user
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 8004)
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
  - Taskmgr.exe (PID: 7324)
  - Taskmgr.exe (PID: 7284)
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 7696)
  - !ReForce¦--+-ó-----°¦¿¦ñ+¯.exe (PID: 4728)
  - Taskmgr.exe (PID: 4868)
  - Taskmgr.exe (PID: 8160)
  - WinRAR.exe (PID: 4000)
- Create files in a temporary directory
  - 216++-++·+-+º¦-¦¦+¦¦¦-=.exe (PID: 6244)
- Detects AutoHotkey samples (YARA)
  - rundll32.exe (PID: 5892)
- UPX packer has been detected
  - rundll32.exe (PID: 5892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2020:10:28 15:22:42
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	123456/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1116

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2924

"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Search application

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\wincorlib.dll

4000

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\123456.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4628

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\123456.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4728

"C:\Users\admin\Desktop\123456\!ReForce¦--+-ó-----°¦¿¦ñ+¯.exe"

C:\Users\admin\Desktop\123456\!ReForce¦--+-ó-----°¦¿¦ñ+¯.exe

explorer.exe

User:

admin

Company:

Gregory Maynard-Hoare

Integrity Level:

HIGH

Description:

RefreshForce - Universal W2K/XP Refresh Fix

Exit code:

Version:

1.1.0.0

Modules

Images
c:\users\admin\desktop\123456\!reforce¦--+-ó-----°¦¿¦ñ+¯.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4868

"C:\WINDOWS\system32\taskmgr.exe" /7

C:\Windows\System32\Taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Manager

Exit code:

3221226540

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll

5892

C:\Users\admin\AppData\Roaming\Microsoft\Office\rundll32.exe

216++-++·+-+º¦-¦¦+¦¦¦-=.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\microsoft\office\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6244

"C:\Users\admin\Desktop\123456\H\! 360U+¦¦ún++(+d¦-+-+¦\2019_9_20_10_25\216++-++·+-+º¦-¦¦+¦¦¦-=.exe"

C:\Users\admin\Desktop\123456\H\! 360U+¦¦ún++(+d¦-+-+¦\2019_9_20_10_25\216++-++·+-+º¦-¦¦+¦¦¦-=.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\123456\h\! 360u+¦¦ún++(+d¦-+-+¦\2019_9_20_10_25\216++-++·+-+º¦-¦¦+¦¦¦-=.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6268

"C:\Users\admin\AppData\Local\Temp\Rar$EXa4000.40643\123456\!ReForce¦--+-ó-----°¦¿¦ñ+¯.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa4000.40643\123456\!ReForce¦--+-ó-----°¦¿¦ñ+¯.exe

—

WinRAR.exe

User:

admin

Company:

Gregory Maynard-Hoare

Integrity Level:

MEDIUM

Description:

RefreshForce - Universal W2K/XP Refresh Fix

Exit code:

Version:

1.1.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa4000.40643\123456\!reforce¦--+-ó-----°¦¿¦ñ+¯.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

7176

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

17 901

Read events

17 737

Write events

160

Delete events

Modification events


(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\123456.zip
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(4628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256

Add for printing

Executable files

Suspicious files

Text files

181

Unknown types

Dropped files

PID	Process	Filename		Type
4628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4628.12603\123456\!ReForce¦--+-ó-----°¦¿¦ñ+¯.exe		executable
		MD5:CA9C0BDC9E2501A1C796A2672E2D96FE	SHA256:213A6DFB1982CE4F6EED502607DE43D05994B4EB749CDAD39D4143A6CC3C9728
4628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4628.12603\123456\C\Documents and Settings\Administrator\+++µ\pdyy.pif		executable
		MD5:B6E5DDFBFCDBF81963BBFAF3B14C99FE	SHA256:778BC1F4AF9ED5A4E9F8D3A1BA23098E77458652B1CCA1BCDDB5EC5ABF7ECF9F
4628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4628.12603\123456\C\autorun.inf		text
		MD5:9AC84FEED8EA16E083B9AB94A2F13FEA	SHA256:563CB43418904824A292C660717DA2FDD7DBF073DA14F3B61203842532D22681
4628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4628.12603\123456\e\qptln.pif		executable
		MD5:43B540056374CC2602E1CCCFDCFE5EBB	SHA256:20D120E1368E2F31BB992F83E2D1F0C3887E5C4E19E07DCE995B8236960508D7
8004	!ReForce¦--+-ó-----°¦¿¦ñ+¯.exe	C:\Windows\system.ini		binary
		MD5:07435B927DBAA36E12A8D807182922B5	SHA256:8D92A27CEA26A4F8E8F0111065AA3DB93EE63B68CA2138D1E077431E98191093
4628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4628.12603\123456\H\nknuau.pif		executable
		MD5:B6E5DDFBFCDBF81963BBFAF3B14C99FE	SHA256:778BC1F4AF9ED5A4E9F8D3A1BA23098E77458652B1CCA1BCDDB5EC5ABF7ECF9F
4628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4628.12603\123456\H\autorun.inf2		binary
		MD5:F0F49837FF3B05AE0B263B9272B68ACE	SHA256:2EEF4DF74C1810615B33839556CCF8D712CA60967FC4EA019AAC03AEE1B091A0
6244	216++-++·+-+º¦-¦¦+¦¦¦-=.exe	C:\Users\admin\AppData\Local\Temp\00119E02_Rar\216++-++·+-+º¦-¦¦+¦¦¦-=.exe		executable
		MD5:A567519F29FC3836D7CFBBFD47AB60C5	SHA256:F014A1E1318DF67200B466CFD7641D0714FAE7280E3F54DDD4C515EC8A5C2F37
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:F481E8DBBBCA0254A53EA1FABCC11D89	SHA256:6E33897F91A3B99B4A440B84CC7457E157749C016125323F62112B60764A677D
6244	216++-++·+-+º¦-¦¦+¦¦¦-=.exe	C:\Users\admin\AppData\Roaming\Microsoft\Office\rundll32.exe		executable
		MD5:A567519F29FC3836D7CFBBFD47AB60C5	SHA256:F014A1E1318DF67200B466CFD7641D0714FAE7280E3F54DDD4C515EC8A5C2F37

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7844	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7844	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
1568	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.183:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	172.217.18.110	whitelisted
crl.microsoft.com	23.48.23.183 23.48.23.191 23.48.23.181 23.48.23.177 23.48.23.176 23.48.23.178 23.48.23.190 23.48.23.180 23.48.23.179	whitelisted
www.microsoft.com	23.52.120.96 184.30.21.171	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
login.live.com	40.126.32.134 20.190.160.4 40.126.32.74 20.190.160.131 20.190.160.2 20.190.160.14 20.190.160.17 20.190.160.22	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
www.bing.com	2.19.96.80 2.19.96.91 2.19.96.64 2.19.96.81 2.19.96.75 2.19.96.107 2.19.96.88 2.19.96.59 2.19.96.112	whitelisted

Threats

PID	Process	Class	Message
2924	SearchApp.exe	Not Suspicious Traffic	INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)

Add for printing

No debug info

General Info

123456.zip

0307559D7952B37E6E435BA272E8A5C3

FA2E455C95394488B3A7D143576E30D4AE116DA6

C536FB60FA45D0BA75C082253CFDDECA2AB2C82A389D2E71A60394A7D36F27D2

49152:wWKF8A43Qha5Bf4zgisJf1uhcmXgLDDnyKxQaMscGWJaMscGWKSLudD/rXSRJwtS:ECgha5Kkisl1IcmXgztGaMscGMaMscGi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALITY mutex has been found

SAINBOX has been detected

Changes Security Center notification settings

UAC/LUA settings modification

AHK has been detected (YARA)

SUSPICIOUS

Drops a file with a rarely used extension (PIF)

Mutex name with non-standard characters

Executable content was dropped or overwritten

AUTOHOTKEY mutex has been found

Process drops legitimate windows executable

There is functionality for taking screenshot (YARA)

Starts itself from another location

INFO

Executable content was dropped or overwritten

The sample compiled with english language support

Checks supported languages

Reads the computer name

Manual execution by a user

Create files in a temporary directory

Detects AutoHotkey samples (YARA)

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings