File name:

CreamApi-lastest-b1.zip

Full analysis: https://app.any.run/tasks/c3030517-f0ea-4550-9a3a-d8283c3e7fc8
Verdict: Malicious activity
Analysis date: July 06, 2025, 04:24:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

458BBDDEEB04FCE243057628A5BDE9FC

SHA1:

CA3B9CD9B3838FBF7CF22646365C02BA15C19242

SHA256:

D325FD13D0EF35D356708998F7CF0A81B5A8CD9FA9F79C1CD36D69D40EB1E85E

SSDEEP:

393216:teIReyMqdtn8IyP9zLAJfwPJYVICa/NmsJOkic7ZWVLBJxh/ZlO:teIPMc8IyFzLAJfwPSS/Po9ci9BO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • updater.exe (PID: 1156)

    • The process executes via Task Scheduler

      • updater.exe (PID: 1156)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3460)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3460)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3460)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3460)

  • INFO

    • Checks supported languages

      • updater.exe (PID: 1156)
      • updater.exe (PID: 6768)
      • MpCmdRun.exe (PID: 1324)

    • Reads the computer name

      • updater.exe (PID: 1156)
      • MpCmdRun.exe (PID: 1324)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1156)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3460)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3460)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 1324)

    • Checks proxy server information

      • slui.exe (PID: 6164)

    • Reads the software policy settings

      • slui.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:11 04:24:52
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: CreamApi-lastest-b1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe updater.exe no specs updater.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1324"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
3460"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\CreamApi-lastest-b1.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4760C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\Rar$Scan90800.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6768"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 104
Read events
5 094
Write events
10
Delete events
0

Modification events

(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\CreamApi-lastest-b1.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
Executable files
52
Suspicious files
1
Text files
70
Unknown types
0

Dropped files

PID
Process
Filename
Type
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Forms\DebugForm.cstext
MD5:D0DF3F51281CDDC3B984C7054E394219
SHA256:1DA3DB63BF715EC7CD513DDFE62FF257601E524BB0AE54DF743D1C05EE693FFD
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller.slntext
MD5:E8E9E44CE8E9969902F5B90529B35306
SHA256:6E0C2D9F31766361AD35D0F3FE2A6FFF974C7E9E10F58FAA32A7034F6BEAB29D
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.gitattributestext
MD5:05BDB783EE6514C8C072E47680AF8FF7
SHA256:1A1DBE176BC233B499D35A57DB7513F2941C99AB9759F177830C9149BE99005B
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Components\PlatformIdComparer.cstext
MD5:F9556490778EC29526FB1CBD5F64741B
SHA256:ED09AAB0E7E7593D78C9407D24788BCB9C2919F7F6CE003A80C025079B8A4CD5
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Components\CustomForm.cstext
MD5:33654D25487375A41441D318AB0F703A
SHA256:52B43FB5CE947C1485E2ECFD3C3A9F1ECE56048747717DB78AEE154C0DE32A1F
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Components\CustomTreeView.cstext
MD5:031E1838F996D940A9EEFAA31689C4BF
SHA256:6228B32ACC2ECF51203A433C32AF2ABC01B102AB49B01A2638E96576FE43A80A
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\CreamInstaller.csprojtext
MD5:157F4F92ACBD48998D190D590510002E
SHA256:A8FF1DFDD9C1A9FF0A4876A6DEF47061FF6CAC4FDB39914DC34597B44B77D1EC
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Forms\DebugForm.Designer.cstext
MD5:0D5DC6313D2D1F46C3318C9F0784CB44
SHA256:2B6CA7D1736FD469DF5705953F500AD83879FE379C6E4C898804C3FA28DD01AE
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\bug-report.mdtext
MD5:C8C3DBCB5A0D54645D6F77EB0FB3D035
SHA256:D871E0BE78298C91811618FCCD981AC795231246F1CAD789D2DCB0D1F35A5EB7
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\enhancement-request.mdtext
MD5:6798F1648AEFD49540BD8BB708BD376A
SHA256:0B5B181828A8DA20E7DB0A1DBA2F32837AC9C79002EA0BCC0308932447074C3C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
43
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2520
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.128
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CreamApi-lastest-b1.zip