File name:

CreamApi-lastest-b1.zip

Full analysis: https://app.any.run/tasks/c3030517-f0ea-4550-9a3a-d8283c3e7fc8
Verdict: Malicious activity
Analysis date: July 06, 2025, 04:24:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

458BBDDEEB04FCE243057628A5BDE9FC

SHA1:

CA3B9CD9B3838FBF7CF22646365C02BA15C19242

SHA256:

D325FD13D0EF35D356708998F7CF0A81B5A8CD9FA9F79C1CD36D69D40EB1E85E

SSDEEP:

393216:teIReyMqdtn8IyP9zLAJfwPJYVICa/NmsJOkic7ZWVLBJxh/ZlO:teIPMc8IyFzLAJfwPSS/Po9ci9BO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3460)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3460)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3460)

    • The process executes via Task Scheduler

      • updater.exe (PID: 1156)

    • Application launched itself

      • updater.exe (PID: 1156)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3460)

  • INFO

    • Reads the computer name

      • updater.exe (PID: 1156)
      • MpCmdRun.exe (PID: 1324)

    • Checks supported languages

      • updater.exe (PID: 6768)
      • updater.exe (PID: 1156)
      • MpCmdRun.exe (PID: 1324)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1156)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3460)

    • Reads the software policy settings

      • slui.exe (PID: 6164)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3460)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 1324)

    • Checks proxy server information

      • slui.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:11 04:24:52
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: CreamApi-lastest-b1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe updater.exe no specs updater.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
1324"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
3460"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\CreamApi-lastest-b1.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
4760C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\Rar$Scan90800.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
5552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
6164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6768"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
1
Text files
70
Unknown types
0

Dropped files

PID
Process
Filename
Type
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\workflows\jekyll-gh-pages.ymltext
MD5:2298BA4DA64197A0FA321BA698D085F2
SHA256:3E9C30B39B55AB79FEC1E7C9FA92B1FB931865C263534450FE9880E3384070BE
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\bug-report.mdtext
MD5:C8C3DBCB5A0D54645D6F77EB0FB3D035
SHA256:D871E0BE78298C91811618FCCD981AC795231246F1CAD789D2DCB0D1F35A5EB7
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\workflows\test.ymltext
MD5:FCB2CD6F8927E01AAA690CB81D45C7CD
SHA256:E3E54CB21A0E9FCA8263455648A0068353A7205FFD96A2C44656BCBC19C83BDD
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\workflows\delete_releases.ymltext
MD5:009C63C99C340BABC3278CF3A6B9D9A7
SHA256:A118A67B2CC6F56CA5647442ED724093B40C2159240C1A26627F4C9F4CDC4821
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.gitattributestext
MD5:05BDB783EE6514C8C072E47680AF8FF7
SHA256:1A1DBE176BC233B499D35A57DB7513F2941C99AB9759F177830C9149BE99005B
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\ISSUE_TEMPLATE\enhancement-request.mdtext
MD5:6798F1648AEFD49540BD8BB708BD376A
SHA256:0B5B181828A8DA20E7DB0A1DBA2F32837AC9C79002EA0BCC0308932447074C3C
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\Components\CustomForm.cstext
MD5:33654D25487375A41441D318AB0F703A
SHA256:52B43FB5CE947C1485E2ECFD3C3A9F1ECE56048747717DB78AEE154C0DE32A1F
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.gitignoretext
MD5:EC5538C9D32622E51AE5F0F2FD76A884
SHA256:69F175476EE30C5A2626A6B70A65D3902ECCBB6424EBAAA38CFCD0C1ABED91EF
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\CreamInstaller\CreamInstaller.csprojtext
MD5:157F4F92ACBD48998D190D590510002E
SHA256:A8FF1DFDD9C1A9FF0A4876A6DEF47061FF6CAC4FDB39914DC34597B44B77D1EC
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3460.28815\CreamApi-lastest-b1.zip\CreamApi-lastest-b1\.github\FUNDING.ymltext
MD5:F8723011C1E0FDF1B57C7555F3FFAF7F
SHA256:6867FB6F1C02B4D954BC767AA396053144A02CE5904DE6417E89C71F995860AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
43
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
5116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2520
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.128
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CreamApi-lastest-b1.zip