Malware analysis 21421149483.zip Malicious activity | ANY.RUN

Add for printing

File name:	21421149483.zip
Full analysis:	https://app.any.run/tasks/b54031e1-1f34-4f06-8f64-fc5d92e4e040
Verdict:	Malicious activity
Analysis date:	February 18, 2025, 15:47:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec delphi inno installer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	ADDB6A1FB08822FE243DEE51C3C5D5BD
SHA1:	3A48E85676755CD35E62475D6123084BDABCF991
SHA256:	D44912A878E6F69564A69A3DBE54FD8A6762375F6CA4A59A0BD758C6BDB96D25
SSDEEP:	49152:oRlf1PKN86USZiBe0O7xFbWsipAlU3fPFg9IPjAjCwi19HHU0+4wK/Ti2eGUpImR:Ol9iqPCiBDO7TippPFhuCwa9HHU0+1K8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 3724)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 5032)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 4592)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 6244)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 6240)
- Reads the Windows owner or organization settings
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
- Reads security settings of Internet Explorer
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 6240)
- There is functionality for taking screenshot (YARA)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
INFO
- Process checks computer location settings
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1580)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1744)
- Manual execution by a user
  - notepad++.exe (PID: 7164)
  - WinRAR.exe (PID: 7096)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 3724)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 4592)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7096)
- Create files in a temporary directory
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 3724)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 5032)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 4592)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 6244)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 6240)
- Checks supported languages
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 3724)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1580)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 5032)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1744)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 6244)
- Creates files in the program directory
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 6240)
- Detects InnoSetup installer (YARA)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 3724)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 5032)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1580)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 4592)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1744)
- Compiled with Borland Delphi (YARA)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 3724)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1580)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 5032)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 4592)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1744)
- Checks proxy server information
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 6240)
- Creates a software uninstall entry
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1064)
- Reads the computer name
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp (PID: 1744)
  - IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe (PID: 6244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0009
ZipCompression:	Deflated
ZipModifyDate:	1980:00:00 00:00:00
ZipCRC:	0x564f200c
ZipCompressedSize:	1371880
ZipUncompressedSize:	1895804
ZipFileName:	72e87bc74fa8ce355f6a15701fceabef16b485c009800d9ec73d83fe08f32c35

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

148

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1064

"C:\Users\admin\AppData\Local\Temp\is-OBNDN.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp" /SL5="$D02AE,935482,845824,C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe" /SPAWNWND=$D02B0 /NOTIFYWND=$D030A

C:\Users\admin\AppData\Local\Temp\is-OBNDN.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-obndn.tmp\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

1580

"C:\Users\admin\AppData\Local\Temp\is-0A8IS.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp" /SL5="$D030A,935482,845824,C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe"

C:\Users\admin\AppData\Local\Temp\is-0A8IS.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp

—

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-0a8is.tmp\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

1744

"C:\Users\admin\AppData\Local\Temp\is-H3QD7.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp" /SL5="$D023A,935482,845824,C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe"

C:\Users\admin\AppData\Local\Temp\is-H3QD7.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp

—

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-h3qd7.tmp\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\mpr.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3724

"C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe"

C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchin

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

4592

"C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe"

C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchin

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comctl32.dll
c:\windows\syswow64\advapi32.dll

5000

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\21421149483.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5032

"C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe" /SPAWNWND=$D02B0 /NOTIFYWND=$D030A

C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp

User:

admin

Company:

Integrity Level:

HIGH

Description:

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchin

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

6240

"C:\Users\admin\AppData\Local\Temp\is-9B49E.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp" /SL5="$C02AA,935482,845824,C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe" /SPAWNWND=$E02AE /NOTIFYWND=$D023A

C:\Users\admin\AppData\Local\Temp\is-9B49E.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-9b49e.tmp\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll

6244

"C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe" /SPAWNWND=$E02AE /NOTIFYWND=$D023A

C:\Users\admin\Desktop\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp

User:

admin

Company:

Integrity Level:

HIGH

Description:

IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchin

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\idm 642 build 27 incl patch fake serial fixedcrackingpatchingzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

Add for printing

Total events

4 501

Read events

4 427

Write events

Delete events

Modification events


(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\21421149483.zip
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(5000) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7164	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml		text
		MD5:F11D96162BC521F5CF49FFE6B6841C9B	SHA256:BE9AEAEAB5A2E4899BA7E582274BA592C1B9BAF688B340A754B8EF32B23CFA9C
7164	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\langs.xml		xml
		MD5:FE22EC5755BC98988F9656F73B2E6FB8	SHA256:F972C425CE176E960F6347F1CA2F64A8CE2B95A375C33A03E57538052BA0624D
6240	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp	C:\Users\admin\AppData\Local\Temp\is-98JIO.tmp\idp.dll		executable
		MD5:55C310C0319260D798757557AB3BF636	SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
1064	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp	C:\Program Files (x86)\Setup\unins000.exe		executable
		MD5:E92B89FE33CC8EAA15E087C53E8A7E27	SHA256:A142181BA7A0CE3F9D35349E984E514107A2C8F6908465EE916BE02819617B90
7164	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml		xml
		MD5:312281C4126FA897EF21A7E8CCB8D495	SHA256:53B4BE3ED1CFD712E53542B30CFE30C5DB35CC48BE7C57727DFEC26C9E882E90
6244	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe	C:\Users\admin\AppData\Local\Temp\is-9B49E.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp		executable
		MD5:FE0A3C4AB8D241C553DDCB7249D6C4AC	SHA256:F1B1AC7E98B7A7119D89C402C35016E25670197ADC739F3E9459C904C77E9D89
6240	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp	C:\Users\admin\AppData\Local\Temp\is-98JIO.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4592	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.exe	C:\Users\admin\AppData\Local\Temp\is-H3QD7.tmp\IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp		executable
		MD5:FE0A3C4AB8D241C553DDCB7249D6C4AC	SHA256:F1B1AC7E98B7A7119D89C402C35016E25670197ADC739F3E9459C904C77E9D89
6240	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp	C:\Program Files (x86)\Setup\is-HJQ20.tmp		executable
		MD5:E92B89FE33CC8EAA15E087C53E8A7E27	SHA256:A142181BA7A0CE3F9D35349E984E514107A2C8F6908465EE916BE02819617B90
1064	IDM 642 build 27 incl Patch Fake Serial FixedCrackingPatchingzip.tmp	C:\Users\admin\AppData\Local\Temp\is-325SQ.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
440	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
440	svchost.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6844	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6844	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6368	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6100	SystemSettings.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5064	SearchApp.exe	92.123.104.52:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1228	RUXIMICS.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
440	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
440	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
440	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
440	svchost.exe	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	92.123.104.44:443	www.bing.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	92.123.104.52 92.123.104.44 92.123.104.64 92.123.104.63 92.123.104.62 92.123.104.47 92.123.104.59 92.123.104.65 92.123.104.67 92.123.104.58 92.123.104.33 92.123.104.36 92.123.104.32 92.123.104.40 92.123.104.35 92.123.104.43 92.123.104.61 92.123.104.53	whitelisted
google.com	142.250.186.46	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	23.209.214.100 95.101.149.131	whitelisted
login.live.com	40.126.31.73 20.190.159.68 20.190.159.131 40.126.31.2 20.190.159.71 40.126.31.129 20.190.159.23 40.126.31.71	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
go.microsoft.com	2.19.106.8	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .icu Domain

Add for printing

Process	Message
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

21421149483.zip

ADDB6A1FB08822FE243DEE51C3C5D5BD

3A48E85676755CD35E62475D6123084BDABCF991

D44912A878E6F69564A69A3DBE54FD8A6762375F6CA4A59A0BD758C6BDB96D25

49152:oRlf1PKN86USZiBe0O7xFbWsipAlU3fPFg9IPjAjCwi19HHU0+4wK/Ti2eGUpImR:Ol9iqPCiBDO7TippPFhuCwa9HHU0+1K8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

INFO

Process checks computer location settings

Manual execution by a user

Executable content was dropped or overwritten

Create files in a temporary directory

Checks supported languages

Creates files in the program directory

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

Checks proxy server information

Creates a software uninstall entry

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings