File name:

3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.zip

Full analysis: https://app.any.run/tasks/bed84480-429f-4afd-8ee4-70295c23fd76
Verdict: Malicious activity
Analysis date: May 15, 2025, 12:44:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

560CAFDE2B8936143BFA67CF9CC0524E

SHA1:

0DE73B68A285E3D06ACC0A026C99F9271B657EE0

SHA256:

CFC37A2D7418C6FCBFAAFF0C8C6E02EBA147943C7407B4AE5F6968163F40268D

SSDEEP:

98304:+fLWEvDjvDALfd5PodTQhNKm5hoqR8c/CCu+Dgszp5nQ+ousxf5kgtOnEejw0KwU:FzO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe (PID: 6372)
      • cmd.exe (PID: 976)
      • cmd.exe (PID: 2148)

    • Changes Windows Defender settings

      • cmd.exe (PID: 976)
      • cmd.exe (PID: 2148)

    • Changes the autorun value in the registry

      • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe (PID: 6372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7000)

    • Starts CMD.EXE for commands execution

      • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe (PID: 6372)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 976)
      • cmd.exe (PID: 2148)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 976)
      • cmd.exe (PID: 2148)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2108)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1324)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4892)

    • Connects to unusual port

      • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe (PID: 6372)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7000)

    • Checks supported languages

      • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe (PID: 6372)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe (PID: 6372)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4040)
      • powershell.exe (PID: 5376)

    • Manual execution by a user

      • mspaint.exe (PID: 4220)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4040)
      • powershell.exe (PID: 5376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2025:05:07 07:15:00
ZipCRC: 0xdf1ca483
ZipCompressedSize: 1773475
ZipUncompressedSize: 1818112
ZipFileName: 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs attrib.exe no specs mspaint.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
976cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\admin\AppData\Local\Temp"C:\Windows\System32\cmd.exe3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324cmd /Q /C reg add "HKCU\Software\Networking5 Servic1e" /fC:\Windows\System32\cmd.exe3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2108cmd /Q /C move /Y C:\Users\admin\AppData\Local\Temp\Rar$EXb7000.41899\3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe C:\Users\admin\AppData\Roaming\Microsoft\Registry.exeC:\Windows\System32\cmd.exe
3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2148cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\admin\AppData\Roaming\Microsoft"C:\Windows\System32\cmd.exe3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4040powershell -Command Add-MpPreference -ExclusionPath C:\Users\admin\AppData\Local\TempC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4220"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\dewarning.jpg"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4408attrib +S +H C:\Users\admin\AppData\Roaming\Microsoft\Registry.exeC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
4892cmd /C "attrib +S +H C:\Users\admin\AppData\Roaming\Microsoft\Registry.exe"C:\Windows\System32\cmd.exe3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
14 497
Read events
14 452
Write events
44
Delete events
1

Modification events

(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.zip
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7000) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6372) 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Registry
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Registry.exe
Executable files
2
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hpobixtg.ct4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5376powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3427EC799F19D14A4DDE4B3A622AED6F
SHA256:E3556D882074EE9F65A356754E61BF517D2960F09C9E07CEA026ED19A2D7480E
7000WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7000.41899\3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.exeexecutable
MD5:618EA7B0E2A26F3C6DB0A8664C63FC6F
SHA256:3215DECFFC40B3257EBEB9B6E5C81C45E298A020F33EF90C9418C153C6071B36
5376powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qiuiikgj.3uv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5376powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3jlqjmr4.yws.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2108cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Registry.exeexecutable
MD5:618EA7B0E2A26F3C6DB0A8664C63FC6F
SHA256:3215DECFFC40B3257EBEB9B6E5C81C45E298A020F33EF90C9418C153C6071B36
4040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4hafwcsi.40g.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.131
  • 40.126.31.1
  • 20.190.159.129
  • 20.190.159.71
  • 40.126.31.130
  • 20.190.159.64
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36.zip