File name:

Test_Zip.zip

Full analysis: https://app.any.run/tasks/1ace03f8-4132-4c6f-8955-b40b28a230fa
Verdict: Malicious activity
Analysis date: May 19, 2025, 12:59:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

297FBBC46D5E27CC17D31361D7A8066D

SHA1:

77D44DB45488068F57C43AFA2A2A7C76F6B54640

SHA256:

CF604DA250BAC859DC422A57A7346B05F01F57A407C1E6DAD03AC3D7108E7045

SSDEEP:

98304:/Rxe+FUYtb9g3v9+ZG0SKgH3TTPmXrJTMQ9vkj5L4PhpbsYkinxBXbgR/QRlKZ8h:qnmxuJrzil/atam4eB78Yusa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7404)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)
      • powershell.exe (PID: 6972)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7672)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7672)

    • The process executes Powershell scripts

      • cmd.exe (PID: 7672)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 8144)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 7672)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)
      • powershell.exe (PID: 6972)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8144)
      • powershell.exe (PID: 6972)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6972)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 6972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:05:14 18:32:54
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: RanSim/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4408C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6972powershell -ExecutionPolicy Bypass -NoExit -File RanSim.ps1 -Mode poc -TargetPath ".\poc_files" -Extension ".enc" -Key "Q5KyUru6wn82hlY9k8xUjJOPIC9da41jgRkpt21jo2L="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7404"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Test_Zip.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7600C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7672C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\RanSim\start.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7944powershell -ExecutionPolicy Bypass -File RanSim.ps1 -Mode encrypt -Extension ".enc" -Key "Q5KyUru6wn82hlY9k8xUjJOPIC9da41jgRkpt21jo2L=" -TargetPath ".\poc_files"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8040powershell Write-Host "pepe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
8144powershell -ExecutionPolicy Bypass -File RanSim.ps1 -Mode decrypt -Extension ".enc" -Key "Q5KyUru6wn82hlY9k8xUjJOPIC9da41jgRkpt21jo2L=" -TargetPath ".\poc_files"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
20 847
Read events
20 829
Write events
18
Delete events
0

Modification events

(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Test_Zip.zip
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(7404) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
0
Suspicious files
18
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\info\excludetext
MD5:036208B4A1AB4A235D75C181E685E5A3
SHA256:6671FE83B7A07C8932EE89164D1F2793B2318058EB8B98DC5C06EE0A5A3B0EC1
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\pre-commit.sampletext
MD5:5029BFAB85B1C39281AA9697379EA444
SHA256:57185B7B9F05239D7AB52DB045F5B89EB31348D7B2177EAB214F5EB872E1971B
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\refs\remotes\origin\HEADtext
MD5:98B16E0B650190870F1B40BC8F4AEC4E
SHA256:2BB6A24AA0FC6C484100F5D51A29BBAD841CD2C755F5D93FAA204E5DBB4EB2B4
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\pre-receive.sampletext
MD5:2AD18EC82C20AF7B5926ED9CEA6AEEDD
SHA256:A4C3D2B9C7BB3FD8D1441C31BD4EE71A595D66B44FCF49DDB310252320169989
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\post-update.sampletext
MD5:2B7EA5CEE3C49FF53D41E00785EB974C
SHA256:81765AF2DAEF323061DCBC5E61FC16481CB74B3BAC9AD8A174B186523586F6C5
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\commit-msg.sampletext
MD5:579A3C1E12A1E74A98169175FB913012
SHA256:1F74D5E9292979B573EBD59741D46CB93FF391ACDD083D340B94370753D92437
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\LICENSEtext
MD5:7325E58BFC93561A31A5EC2775AB87AC
SHA256:C5232EF7D0F1DDC721E26817DC27A09F8DACA68CF45D7A82EE4F4C1E60FE040B
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\applypatch-msg.sampletext
MD5:CE562E08D8098926A3862FC6E7905199
SHA256:0223497A0B8B033AA58A3A521B8629869386CF7AB0E2F101963D328AA62193F7
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\pre-push.sampletext
MD5:2C642152299A94E05EA26EAE11993B13
SHA256:ECCE9C7E04D3F5DD9D8ADA81753DD1D549A9634B26770042B58DDA00217D086A
7404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7404.39196\RanSim\.git\hooks\pre-applypatch.sampletext
MD5:054F9FFB8BFE04A599751CC757226DDA
SHA256:E15C5B469EA3E0A695BEA6F2C82BCF8E62821074939DDD85B77E0007FF165475
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
9
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7220
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Test_Zip.zip