File name:

Wi_Host1115_2024-06-05_19_26_19.221.zip

Full analysis: https://app.any.run/tasks/93b61815-6dcc-4f98-85bf-1928bccef243
Verdict: Malicious activity
Analysis date: June 05, 2024, 20:42:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

F057204F97CCE228AD5E5E5F890425AB

SHA1:

D20C217FA0CAE1861DFA7FFC61596555100F588E

SHA256:

C63B425204BCA7A8444A0B999D5EFA90F265A3D6152B5FBF2FDE7BA2B50A2ECD

SSDEEP:

24576:sDFafbokfhjp960KGNKnHRYiBqcLkl4sB0s5bM9QXHFidPRbZZw5urgk:sDFafbokfhjX60KGNKnxYiBqcLkl4sB+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Copilot Host.exe (PID: 1136)
      • HostShell.exe (PID: 1580)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3988)
      • Copilot Host.exe (PID: 1136)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3988)
      • Copilot Host.exe (PID: 1136)
      • HostShell.exe (PID: 1580)

    • Reads the Internet Settings

      • Copilot Host.exe (PID: 1136)
      • FogCreekCopilotHost.exe (PID: 660)

    • Reads settings of System Certificates

      • Copilot Host.exe (PID: 1136)

    • Executable content was dropped or overwritten

      • HostShell.exe (PID: 1580)
      • Copilot Host.exe (PID: 1136)

    • Checks Windows Trust Settings

      • Copilot Host.exe (PID: 1136)

    • Adds/modifies Windows certificates

      • Copilot Host.exe (PID: 1136)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3988)

    • Reads the computer name

      • Copilot Host.exe (PID: 1136)
      • FogCreekCopilotHost.exe (PID: 660)
      • wmpnscfg.exe (PID: 1236)

    • Checks supported languages

      • Copilot Host.exe (PID: 1136)
      • FogCreekCopilotHost.exe (PID: 660)
      • HostShell.exe (PID: 1580)
      • wmpnscfg.exe (PID: 1236)

    • Checks proxy server information

      • Copilot Host.exe (PID: 1136)
      • FogCreekCopilotHost.exe (PID: 660)

    • Reads the machine GUID from the registry

      • Copilot Host.exe (PID: 1136)
      • FogCreekCopilotHost.exe (PID: 660)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3988)

    • Reads the software policy settings

      • Copilot Host.exe (PID: 1136)

    • Creates files or folders in the user directory

      • Copilot Host.exe (PID: 1136)

    • Create files in a temporary directory

      • Copilot Host.exe (PID: 1136)
      • HostShell.exe (PID: 1580)
      • FogCreekCopilotHost.exe (PID: 660)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x5d21dbdd
ZipCompressedSize: 549023
ZipUncompressedSize: 1110712
ZipFileName: Device/HarddiskVolume4/Users/MikeS/Old Workstation/wordproc/Copilot Host.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe copilot host.exe no specs copilot host.exe hostshell.exe fogcreekcopilothost.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660FogCreekCopilotHost.exe [C:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exeC:\Users\admin\AppData\Local\Temp\FogCreekCopilotHost.exe
HostShell.exe
User:
admin
Company:
Fog Creek Software
Integrity Level:
HIGH
Description:
Fog Creek Copilot Host
Version:
3, 0, 0, 0
Modules
Images
c:\users\admin\appdata\local\temp\fogcreekcopilothost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1136"C:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3988.48709\device\harddiskvolume4\users\mikes\old workstation\wordproc\copilot host.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1236"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1580C:\Users\admin\AppData\Local\Temp\HostShell.exe [C:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exeC:\Users\admin\AppData\Local\Temp\HostShell.exe
Copilot Host.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\hostshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3988"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Wi_Host1115_2024-06-05_19_26_19.221.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4036"C:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3988.48709\device\harddiskvolume4\users\mikes\old workstation\wordproc\copilot host.exe
c:\windows\system32\ntdll.dll
Total events
10 630
Read events
10 491
Write events
127
Delete events
12

Modification events

(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Wi_Host1115_2024-06-05_19_26_19.221.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
5
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\manifest.jsonini
MD5:DC77E341B8308990EA7E8CCB9DA51312
SHA256:DB237C126053A0AC54872253CB65A899CE9F75797C7D2C09CB16E25F4A91268D
1136Copilot Host.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
3988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3988.48709\Device\HarddiskVolume4\Users\MikeS\Old Workstation\wordproc\Copilot Host.exeexecutable
MD5:79F4D7736D52D5B7120134D7EC49CD78
SHA256:3F6642DDC1B4132D55F0848141D3DF4AE2ADED0541D8386E5A6294628D3B5250
1136Copilot Host.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:91418772CE41913F773E17856790EDE7
SHA256:8BC5D0F7AA437AEB7B52E53EF6CBC596FF0AA1D7743165DE959290AC327A5888
1580HostShell.exeC:\Users\admin\AppData\Local\Temp\FogCreekCopilotHooks.dllexecutable
MD5:5284A0946FCF4D082BCC1147B2447E92
SHA256:F5AA1302696F59A82A57D9BA061CB5A0F36669FE8C702FFDB082128AE0705DAF
1136Copilot Host.exeC:\Users\admin\AppData\Local\Temp\HostShell.exeexecutable
MD5:B9624A08AEEC0460AF8A3DD25971F8B6
SHA256:0D5311ACB41EA5781A26E65CE8B200F267EA744AA331BC332B22F9D7A75A046E
1580HostShell.exeC:\Users\admin\AppData\Local\Temp\FogCreekCopilotHost.exeexecutable
MD5:6E302031D41C4B74A0A8396785CA870B
SHA256:65D2982107439508132DCB65D1BD64579DBBB33E6B288D753BA64853AD799F4D
1136Copilot Host.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:76ED7514D7C22C72D0F793451A23B064
SHA256:86A1EBA438FAF2C63CEE619FAA15E743B236179A6AD932C98995599722329F51
1136Copilot Host.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:C978B851F8802CCD3F5A486F8CE5ECC4
SHA256:3A13F81BAB2E1E2C0A26E7A46D34C41EE8CAE4652F8547A444B9F92167923259
1136Copilot Host.exeC:\Users\admin\AppData\Local\Temp\FCHost.settingsbinary
MD5:3272415E2BFFB48385CE9FF3E0F43334
SHA256:4C381C9764472FBC90E56C2F79013AB6586BD6E453C5D5051656A9013D84EF97
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1136
Copilot Host.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?956b38654546f56c
unknown
unknown
1136
Copilot Host.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
unknown
1136
Copilot Host.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2755af7cbee6f323
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1136
Copilot Host.exe
76.76.21.98:443
www.copilot.com
AMAZON-02
US
unknown
1136
Copilot Host.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1136
Copilot Host.exe
2.23.197.184:80
x1.c.lencr.org
CW Vodafone Group PLC
GB
unknown
660
FogCreekCopilotHost.exe
49.13.77.253:443
reflector.copilot.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
www.copilot.com
  • 76.76.21.98
  • 76.76.21.61
unknown
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
reflector.copilot.com
  • 49.13.77.253
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wi_Host1115_2024-06-05_19_26_19.221.zip