File name:

updatekas.zip

Full analysis: https://app.any.run/tasks/46394b76-fe32-41aa-9749-0e4d039b3bd3
Verdict: Malicious activity
Analysis date: July 07, 2021, 14:40:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1E4F6FEA32E12EA5806D9C08976A6D2A

SHA1:

09434BA2C13250B4CA61E863E3AF714F1015DFE4

SHA256:

E601C1D200BE641F1384C80B3D280C5A907947AAC067B3737B671E214374382F

SSDEEP:

6144:4Xn7hl6tHfTlSvPGuZI5GErHE0InQKCj6fpHLIT1aXi18/:g1ATwOm25VIMepH0JfC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • updatekas.exe (PID: 2932)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3692)
      • updatekas.exe (PID: 2932)

    • Checks supported languages

      • WinRAR.exe (PID: 3692)
      • updatekas.exe (PID: 2932)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3692)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3692)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3692)

  • INFO

    • Manual execution by user

      • updatekas.exe (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: updatekas.exe
ZipUncompressedSize: 262144
ZipCompressedSize: 234104
ZipCRC: 0xf45366fd
ZipModifyDate: 2021:07:07 19:49:15
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe updatekas.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Users\admin\Desktop\updatekas.exe" C:\Users\admin\Desktop\updatekas.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
This is production version
Exit code:
0
Version:
1.1.39
Modules
Images
c:\users\admin\desktop\updatekas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3692"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\updatekas.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 607
Read events
7 596
Write events
11
Delete events
0

Modification events

(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3692) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3692) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\updatekas.zip
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3692.19671\updatekas.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
32
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
5.77 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
7.10 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
9.91 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
11.2 Kb
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTQ3QUFYQzF5VF9DcWNsa0ZkMGdTQmdvQQ/1.0.0.8_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
crx
18.6 Kb
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q
US
binary
11.2 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
9.91 Kb
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AIQWwBRSWwfx2JCxD0aw30k_2657/I-4-aBwqaCFG5rMUT0QDpg
US
crx
18.6 Kb
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw
US
crx
2.85 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
142.250.185.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
142.250.74.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
142.250.186.163:443
www.gstatic.com
Google Inc.
US
whitelisted
216.58.212.142:443
apis.google.com
Google Inc.
US
whitelisted
142.250.186.110:443
encrypted-tbn0.gstatic.com
Google Inc.
US
whitelisted
34.104.35.123:80
edgedl.me.gvt1.com
US
whitelisted
142.250.185.195:443
ssl.gstatic.com
Google Inc.
US
whitelisted
172.217.164.163:443
id.google.com
Google Inc.
US
whitelisted
172.217.18.98:443
adservice.google.com
Google Inc.
US
whitelisted
216.58.212.174:443
ogs.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 142.250.185.131
whitelisted
www.google.com
  • 142.250.181.228
malicious
accounts.google.com
  • 142.250.185.109
shared
clients2.google.com
  • 142.250.184.206
whitelisted
fonts.googleapis.com
  • 142.250.184.202
whitelisted
www.gstatic.com
  • 142.250.186.163
whitelisted
fonts.gstatic.com
  • 142.250.74.195
whitelisted
apis.google.com
  • 216.58.212.142
whitelisted
ogs.google.com
  • 216.58.212.174
whitelisted
update.googleapis.com
  • 172.217.16.131
whitelisted

Threats

No threats detected
Process
Message
updatekas.exe
OWQkNSJRVWfjjAfhyvYaEWaKXZmvsleHiKWmYp
updatekas.exe
LRsVtoOcLkJkMcJOHHlSdBocgEomDVQYYQUuHfIQKasHrZDTwVfyUZjJSFJAF
updatekas.exe
lPwsCGQOdTMYSqUTehbJRACLDnhtLLJLwXcZlEmipMGokeFHeBTAYegk
updatekas.exe
kiAKYFqrMpXStSoIWqmIrPfYpSeHSNoblIJwvw
updatekas.exe
ETsVwMBMueBXYRbizkwEmBbxWcqbMZYjDcGqLNhlBzznEuCjgOkqAn
updatekas.exe
dAIVZpVLZZGrFERXNStmMBfzWXPQaoktxaqyLrfwCHcnQDqYxdgyDekUCa
updatekas.exe
gswTMwiyFCuQhkuyBXXRYuJLyWJnGBuYC
updatekas.exe
AqrcdIficuEgYfKwqZRztGJTVoJjKucdasAelyHKguz
updatekas.exe
mUQpqlFBUUfVyLzmtwTmSuzTEAoydiNCMFDTbiwzKfQ
updatekas.exe
qperDYDoykBvEJfdVqHHJXCIjKsAjqc
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
updatekas.zip