File name:

Everstyle Trading-SD900 KBOrder Specifications.zip

Full analysis: https://app.any.run/tasks/cd19d8b6-a479-4c04-9f8a-55285b8de03d
Verdict: Malicious activity
Analysis date: March 26, 2026, 11:17:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

048698786B479D1229B6155BB3E15A93

SHA1:

7DBD41586D9EA69EBE3EB122FC2E78087F3F8A09

SHA256:

D9CA3C7F627A261A782C1274C0905E01BFF4C0D7F8C97B8177109C3F1511E749

SSDEEP:

24576:v5QJ80HAC8iG7GDa6usFAjL/0txpcCh0D3Rub23H1k5+VSiRByNMASTTTIR/8cKU:v5QJ80HAC8iG7GDa6usFAf/0txpvh0D8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • inhumate.exe (PID: 7660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)

    • Starts itself from another location

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)

    • The process executes VB scripts

      • wscript.exe (PID: 4236)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4236)

  • INFO

    • Manual execution by a user

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)
      • wscript.exe (PID: 4236)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2684)
      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)

    • Checks supported languages

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)
      • inhumate.exe (PID: 7660)
      • inhumate.exe (PID: 7420)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2684)

    • Creates files or folders in the user directory

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)
      • inhumate.exe (PID: 7660)
      • WerFault.exe (PID: 1504)
      • WerFault.exe (PID: 7624)

    • Reads mouse settings

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)
      • inhumate.exe (PID: 7660)
      • inhumate.exe (PID: 7420)

    • Reads the machine GUID from the registry

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)

    • Create files in a temporary directory

      • Everstyle Trading-SD900 KBOrder Specifications.exe (PID: 7348)
      • inhumate.exe (PID: 7660)
      • inhumate.exe (PID: 7420)

    • Launching a file from the Startup directory

      • inhumate.exe (PID: 7660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2026:03:23 02:11:12
ZipCRC: 0x1914d1cf
ZipCompressedSize: 851981
ZipUncompressedSize: 1306624
ZipFileName: Everstyle Trading-SD900 KBOrder Specifications.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
9
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe everstyle trading-sd900 kborder specifications.exe inhumate.exe svchost.exe no specs werfault.exe wscript.exe no specs inhumate.exe svchost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1504C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7660 -s 748C:\Windows\SysWOW64\WerFault.exe
inhumate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2684"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Everstyle Trading-SD900 KBOrder Specifications.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4236wscript "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inhumate.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5760"C:\Users\admin\Desktop\Everstyle Trading-SD900 KBOrder Specifications\Everstyle Trading-SD900 KBOrder Specifications.exe" C:\Windows\SysWOW64\svchost.exeinhumate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
7348"C:\Users\admin\Desktop\Everstyle Trading-SD900 KBOrder Specifications\Everstyle Trading-SD900 KBOrder Specifications.exe" C:\Users\admin\Desktop\Everstyle Trading-SD900 KBOrder Specifications\Everstyle Trading-SD900 KBOrder Specifications.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\everstyle trading-sd900 kborder specifications\everstyle trading-sd900 kborder specifications.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7420"C:\Users\admin\AppData\Local\mouslingly\inhumate.exe" C:\Users\admin\AppData\Local\mouslingly\inhumate.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\mouslingly\inhumate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
7624C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7420 -s 728C:\Windows\SysWOW64\WerFault.exe
inhumate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7660"C:\Users\admin\Desktop\Everstyle Trading-SD900 KBOrder Specifications\Everstyle Trading-SD900 KBOrder Specifications.exe" C:\Users\admin\AppData\Local\mouslingly\inhumate.exe
Everstyle Trading-SD900 KBOrder Specifications.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\mouslingly\inhumate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7856"C:\Users\admin\AppData\Local\mouslingly\inhumate.exe" C:\Windows\SysWOW64\svchost.exeinhumate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
14 416
Read events
14 380
Write events
23
Delete events
13

Modification events

(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Everstyle Trading-SD900 KBOrder Specifications.zip
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
9
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1504WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_inhumate.exe_b398c65d8a2259274aef41d41e6f691488871_f6abf6b8_c9fba38e-321e-459e-8f5f-a3a3aff9fb8d\Report.wer
MD5:
SHA256:
7624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_inhumate.exe_b398c65d8a2259274aef41d41e6f691488871_f6abf6b8_44e2e4ad-fd4d-46ee-b25b-c04941d563dd\Report.wer
MD5:
SHA256:
7660inhumate.exeC:\Users\admin\AppData\Local\Temp\aut3563.tmpbinary
MD5:001B288AAD6BC3C1195205558CB43EFD
SHA256:207E27D5F83C26CD876F2370F10E71EF303CC472F288D20A584B6BC676C0DBD6
7348Everstyle Trading-SD900 KBOrder Specifications.exeC:\Users\admin\AppData\Local\mouslingly\inhumate.exeexecutable
MD5:31A7DC434275505AD79B4EC5403F8D08
SHA256:F72F4CB0391DA991E2D4F333DE0062729CD50EA7CE07C2836547D1BB2802FD9C
7348Everstyle Trading-SD900 KBOrder Specifications.exeC:\Users\admin\AppData\Local\Temp\acrorrheumabinary
MD5:C9649B8F64AE678B13D1EC3AF3D1888C
SHA256:07DCB973F8CAE528C79944D0D739BA15991D0C5413BDC1B9F3F4FA1FB5262576
7660inhumate.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inhumate.vbsbinary
MD5:9AC16221575118B90F0C43A725E52850
SHA256:C37C2933A39FFCC2D33897C565DBEAAB2C99ADC64610586384664C098A9F4E84
7348Everstyle Trading-SD900 KBOrder Specifications.exeC:\Users\admin\AppData\Local\Temp\aut2F0A.tmpbinary
MD5:001B288AAD6BC3C1195205558CB43EFD
SHA256:207E27D5F83C26CD876F2370F10E71EF303CC472F288D20A584B6BC676C0DBD6
1504WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\inhumate.exe.7660.dmpbinary
MD5:03287066109F75D9B7E22C8680B71772
SHA256:182A56399148F273CA1396D40A39D6CF561D9EFD61859E741AB9E661A9BEC8A2
7624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA871.tmp.dmpbinary
MD5:A26E5DEEC30816AB798BCAD14D4621C1
SHA256:A47AC9590C402F493F76658C6263AAEB0429747DDC71F190BACB34D99641AD2C
7624WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\inhumate.exe.7420.dmpbinary
MD5:C648E060AD10A3B64DEEBAC5D919120C
SHA256:2A08EF3C490C831DDF601DE21647B34DF09631DA342E18A5AC5724D1CEFA30B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
44
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
341 b
whitelisted
5316
svchost.exe
POST
404
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
341 b
whitelisted
1900
SIHClient.exe
GET
404
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
xml
341 b
whitelisted
1900
SIHClient.exe
GET
404
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
xml
341 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5392
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3428
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5316
svchost.exe
40.126.31.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5392
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1504
WerFault.exe
135.233.45.223:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.140.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.128
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.131
  • 40.126.31.131
whitelisted
watson.events.data.microsoft.com
  • 135.233.45.223
  • 172.178.240.161
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
  • 2603:1030:10:12::2fe
whitelisted
97.92.232.135.in-addr.arpa
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Everstyle Trading-SD900 KBOrder Specifications.zip