File name:

CreamApi-lastest-b1.zip

Full analysis: https://app.any.run/tasks/c3030517-f0ea-4550-9a3a-d8283c3e7fc8
Verdict: Malicious activity
Analysis date: July 06, 2025, 04:24:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

458BBDDEEB04FCE243057628A5BDE9FC

SHA1:

CA3B9CD9B3838FBF7CF22646365C02BA15C19242

SHA256:

D325FD13D0EF35D356708998F7CF0A81B5A8CD9FA9F79C1CD36D69D40EB1E85E

SSDEEP:

393216:teIReyMqdtn8IyP9zLAJfwPJYVICa/NmsJOkic7ZWVLBJxh/ZlO:teIPMc8IyFzLAJfwPSS/Po9ci9BO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • updater.exe (PID: 1156)

    • Application launched itself

      • updater.exe (PID: 1156)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3460)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3460)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3460)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3460)

  • INFO

    • Checks supported languages

      • updater.exe (PID: 1156)
      • updater.exe (PID: 6768)
      • MpCmdRun.exe (PID: 1324)

    • Reads the computer name

      • updater.exe (PID: 1156)
      • MpCmdRun.exe (PID: 1324)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1156)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3460)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3460)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 1324)

    • Checks proxy server information

      • slui.exe (PID: 6164)

    • Reads the software policy settings

      • slui.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:11 04:24:52
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: CreamApi-lastest-b1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe updater.exe no specs updater.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1324"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
3460"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\CreamApi-lastest-b1.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4760C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\Rar$Scan90800.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6768"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 104
Read events
5 094
Write events
10
Delete events
0

Modification events

(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\CreamApi-lastest-b1.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
Executable files
52
Suspicious files
1
Text files
70
Unknown types
0

Dropped files

PID
Process
Filename
Type
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\workflows\delete_releases.ymltext
MD5:009C63C99C340BABC3278CF3A6B9D9A7
SHA256:A118A67B2CC6F56CA5647442ED724093B40C2159240C1A26627F4C9F4CDC4821
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\bug-report.mdtext
MD5:C8C3DBCB5A0D54645D6F77EB0FB3D035
SHA256:D871E0BE78298C91811618FCCD981AC795231246F1CAD789D2DCB0D1F35A5EB7
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\FUNDING.ymltext
MD5:F8723011C1E0FDF1B57C7555F3FFAF7F
SHA256:6867FB6F1C02B4D954BC767AA396053144A02CE5904DE6417E89C71F995860AF
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\enhancement-request.mdtext
MD5:6798F1648AEFD49540BD8BB708BD376A
SHA256:0B5B181828A8DA20E7DB0A1DBA2F32837AC9C79002EA0BCC0308932447074C3C
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\false-positives.mdtext
MD5:1D3C3DC138AC391D036571926CA76B84
SHA256:BA11890759941C96DA156F9103D9F74CE2A9B8ADE75B35794EB73B508259D2D7
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\workflows\jekyll-gh-pages.ymltext
MD5:2298BA4DA64197A0FA321BA698D085F2
SHA256:3E9C30B39B55AB79FEC1E7C9FA92B1FB931865C263534450FE9880E3384070BE
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.gitignoretext
MD5:EC5538C9D32622E51AE5F0F2FD76A884
SHA256:69F175476EE30C5A2626A6B70A65D3902ECCBB6424EBAAA38CFCD0C1ABED91EF
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\workflows\test.ymltext
MD5:FCB2CD6F8927E01AAA690CB81D45C7CD
SHA256:E3E54CB21A0E9FCA8263455648A0068353A7205FFD96A2C44656BCBC19C83BDD
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Components\CustomForm.cstext
MD5:33654D25487375A41441D318AB0F703A
SHA256:52B43FB5CE947C1485E2ECFD3C3A9F1ECE56048747717DB78AEE154C0DE32A1F
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Components\ContextMenuItem.cstext
MD5:49DC5EB0CABB064176C2B8AE11A89470
SHA256:0C80CF2BE0B0C90EB1640487DBF7192DFC67D7EE89537C0AA936CFF5B0BCBFF9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
43
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2520
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.128
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CreamApi-lastest-b1.zip