File name:

WinRAR-ZIP-Archivneu.zip

Full analysis: https://app.any.run/tasks/6aeb7e7d-7914-40a4-a697-258cd903f861
Verdict: Malicious activity
Analysis date: January 19, 2025, 12:55:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

24C918143D3811191E6B7BC5B9C9CC86

SHA1:

EB1C5CB3F1BD71E3CEE82977621C51C4D5AF1A1F

SHA256:

DF1F0189C7A046672553640B179F4E001B0632FD275A83E63A54DC9CCA9206B2

SSDEEP:

786432:3N0xTgpz5wuoKD6EhE5XnbJwtyzE3ZGe5P/4Yz9Kzp:90Kz5wuo2hE5XnbJwtyzEJG+P/Je

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6728)
      • powershell.exe (PID: 6860)
      • powershell.exe (PID: 7080)
      • powershell.exe (PID: 3840)

  • SUSPICIOUS

    • Process drops python dynamic module

      • WinRAR.exe (PID: 6436)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 6436)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6436)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 6436)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 6436)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6436)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6436)

    • Manual execution by a user

      • powershell.exe (PID: 6728)
      • powershell.exe (PID: 6860)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 7080)
      • notepad.exe (PID: 3544)
      • notepad.exe (PID: 4264)
      • notepad.exe (PID: 6012)
      • notepad.exe (PID: 4400)
      • notepad.exe (PID: 1804)
      • notepad.exe (PID: 5404)
      • WinRAR.exe (PID: 4624)
      • WinRAR.exe (PID: 4932)
      • OpenWith.exe (PID: 6332)
      • notepad.exe (PID: 5920)
      • notepad.exe (PID: 4132)
      • notepad.exe (PID: 1296)
      • OpenWith.exe (PID: 5316)
      • OpenWith.exe (PID: 1140)
      • OpenWith.exe (PID: 2424)
      • OpenWith.exe (PID: 6244)
      • OpenWith.exe (PID: 4360)
      • OpenWith.exe (PID: 2428)
      • OpenWith.exe (PID: 5268)
      • OpenWith.exe (PID: 1468)
      • OpenWith.exe (PID: 4612)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6436)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3544)
      • notepad.exe (PID: 4264)
      • notepad.exe (PID: 6012)
      • notepad.exe (PID: 4400)
      • notepad.exe (PID: 1804)
      • notepad.exe (PID: 5404)
      • notepad.exe (PID: 5920)
      • notepad.exe (PID: 4132)
      • notepad.exe (PID: 1296)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5316)
      • OpenWith.exe (PID: 5268)
      • OpenWith.exe (PID: 1140)
      • OpenWith.exe (PID: 6244)
      • OpenWith.exe (PID: 2424)
      • OpenWith.exe (PID: 1468)
      • OpenWith.exe (PID: 6332)
      • OpenWith.exe (PID: 2428)
      • OpenWith.exe (PID: 4360)
      • OpenWith.exe (PID: 4612)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 5392)

    • Checks supported languages

      • MpCmdRun.exe (PID: 5392)

    • Reads the computer name

      • MpCmdRun.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:19 13:20:42
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: grabby/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
33
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs winrar.exe no specs winrar.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\core.pyC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1296"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1468"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\cd.pyC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1804"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2088C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR6436.32032\Rar$Scan125384.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2424"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\c_lexer.pyC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2428"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\blockfeeder.pyC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3544"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\entry_points.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3840"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\__PSScriptPolicyTest_qujbespe.tiy.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4132"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LICENSE.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
27 425
Read events
27 398
Write events
27
Delete events
0

Modification events

(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\WinRAR-ZIP-Archivneu.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
(PID) Process:(4932) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
Executable files
25
Suspicious files
191
Text files
293
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\9011fbc0-e5d2-416b-bb4f-037e8e381919.7z
MD5:
SHA256:
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\app.asar
MD5:
SHA256:
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\ca.pakbinary
MD5:D259469E94F2ADF54380195555154518
SHA256:F98B7442BEFC285398A5DD6A96740CBA31D2F5AADADD4D5551A05712D693029B
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\ar.pakbinary
MD5:47A6D10B4112509852D4794229C0A03B
SHA256:857FE3AB766B60A8D82B7B6043137E3A7D9F5CFB8DDD942316452838C67D0495
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\adapters.pytext
MD5:55B2F3BB90204EAEA336530AA917B89E
SHA256:28871E72C72A6A6EAB78E097465E03C0FE235FC25C97CB1DE7B7EDD7B291D9C4
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\ast_transforms.pytext
MD5:3F628E83C8067C9636D519BE20E88661
SHA256:193318954816997779C09572A2F5D8D6ACF302A8F1CC2A55560D3AEB874A181B
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\am.pakbinary
MD5:2009647C3E7AED2C4C6577EE4C546E19
SHA256:6D61E5189438F3728F082AD6F694060D7EE8E571DF71240DFD5B77045A62954E
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\blockfeeder.pytext
MD5:F527C7E232EFE70605EACFCF187A1ABE
SHA256:34C550F66D284B4C2866F17130D646BF6C3FC2BF2806203268865782E12E0E44
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\base.pytext
MD5:EE59EC73170EF3D781FADF48AF35527E
SHA256:F85E4A5A3C5BCA34AA96E512AFB2D10BFB2A37FB3EA873F92B4AD6FB8D4F2381
6436WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6436.21645\WinRAR-ZIP-Archivneu.zip\grabby\Cargo.tomltext
MD5:0F101A11E4C8D7D40521FDFC6686AF4A
SHA256:BC409BC4F88DBBE750856E1B693B923F382A6819C18306589C909268941B2140
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
25
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
2.16.110.121:443
https://www.bing.com/threshold/xls.aspx
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2192
svchost.exe
224.0.0.252:5355
whitelisted
2192
svchost.exe
224.0.0.251:5353
unknown
5064
SearchApp.exe
2.16.110.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted
www.bing.com
  • 2.16.110.123
  • 2.16.110.121
  • 2.16.110.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinRAR-ZIP-Archivneu.zip