File name:

Optimizer-16.7.zip

Full analysis: https://app.any.run/tasks/60cd3e43-3800-45a6-9b42-0878a5a4c2eb
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 05, 2025, 02:03:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
svcstealer
stealer
crypto-regex
python
github
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

49642BB321129C663A7BA8E6B3E506EE

SHA1:

E5A299811052859FA42825F23A1AB5213B339360

SHA256:

F497B120B69FE88B754A16B82BBDA227DCFF5E55FB93569C85960F9C457BE99C

SSDEEP:

98304:wnrA9266tQKS9jWJ5NC17nA2rvOxHAIXjSH5N6GiN+S2EcSG/agsfhWA+pRTq3bL:jA+0+2ThSq1dl7A9S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • lang.tmp (PID: 736)
      • lang.tmp (PID: 2088)

    • Runs injected code in another process

      • regsvr32.exe (PID: 668)

    • Application was injected by another process

      • explorer.exe (PID: 5492)

    • SVCSTEALER mutex has been found

      • 235F.tmp.exe (PID: 1532)

    • Changes the autorun value in the registry

      • 235F.tmp.exe (PID: 1532)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 4408)
      • B6A.tmp.exe (PID: 2852)
      • conhost.exe (PID: 5056)
      • conhost.exe (PID: 4980)
      • powershell.exe (PID: 6476)
      • svchost.exe (PID: 6652)
      • powershell.exe (PID: 1328)
      • backgroundTaskHost.exe (PID: 5020)
      • RuntimeBroker.exe (PID: 2268)
      • Optimizer-16.7.exe (PID: 3124)
      • consent.exe (PID: 4608)
      • Optimizer-16.7.exe (PID: 7148)
      • regsvr32.exe (PID: 5244)
      • conhost.exe (PID: 4308)
      • powershell.exe (PID: 6744)
      • conhost.exe (PID: 6500)
      • powershell.exe (PID: 7052)
      • regsvr32.exe (PID: 1228)
      • conhost.exe (PID: 1040)
      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 4408)
      • conhost.exe (PID: 4692)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Optimizer-16.7.exe (PID: 5352)
      • WinRAR.exe (PID: 4740)
      • Optimizer-16.7.exe (PID: 2616)
      • lang.tmp (PID: 1388)
      • Optimizer-16.7.exe (PID: 208)
      • Optimizer-16.7.exe (PID: 6960)
      • Optimizer-16.7.exe (PID: 3124)
      • lang.tmp (PID: 6392)
      • Optimizer-16.7.exe (PID: 7148)

    • Reads the date of Windows installation

      • Optimizer-16.7.exe (PID: 5352)
      • Optimizer-16.7.exe (PID: 2616)
      • Optimizer-16.7.exe (PID: 6960)
      • Optimizer-16.7.exe (PID: 3124)

    • Reads the Windows owner or organization settings

      • lang.tmp (PID: 1388)
      • lang.tmp (PID: 736)
      • lang.tmp (PID: 6392)
      • lang.tmp (PID: 2088)

    • Executable content was dropped or overwritten

      • lang.tmp (PID: 1388)
      • lang.exe (PID: 3008)
      • lang.tmp (PID: 736)
      • explorer.exe (PID: 5492)
      • 235F.tmp.exe (PID: 1532)
      • lang.exe (PID: 5332)
      • B6A.tmp.exe (PID: 4976)
      • lang.tmp (PID: 6392)
      • lang.exe (PID: 2616)
      • lang.exe (PID: 1812)
      • lang.tmp (PID: 2088)

    • Process drops legitimate windows executable

      • lang.tmp (PID: 1388)
      • lang.tmp (PID: 736)
      • B6A.tmp.exe (PID: 4976)
      • lang.tmp (PID: 6392)
      • lang.tmp (PID: 2088)

    • Application launched itself

      • Optimizer-16.7.exe (PID: 2616)
      • B6A.tmp.exe (PID: 4976)
      • Optimizer-16.7.exe (PID: 3124)

    • Starts POWERSHELL.EXE for commands execution

      • regsvr32.exe (PID: 668)
      • regsvr32.exe (PID: 4880)
      • regsvr32.exe (PID: 6256)
      • regsvr32.exe (PID: 4408)
      • regsvr32.exe (PID: 5244)
      • regsvr32.exe (PID: 1228)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 668)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 668)

    • Starts a Microsoft application from unusual location

      • 235F.tmp.exe (PID: 1532)

    • Found regular expressions for crypto-addresses (YARA)

      • 235F.tmp.exe (PID: 1532)

    • Connects to the server without a host name

      • explorer.exe (PID: 5492)

    • The process executes via Task Scheduler

      • regsvr32.exe (PID: 4880)
      • regsvr32.exe (PID: 6256)
      • regsvr32.exe (PID: 4408)
      • regsvr32.exe (PID: 1228)

    • Searches for installed software

      • CompatTelRunner.exe (PID: 5332)
      • lang.tmp (PID: 2088)

    • Loads Python modules

      • B6A.tmp.exe (PID: 2852)

    • The process drops C-runtime libraries

      • B6A.tmp.exe (PID: 4976)

    • Process drops python dynamic module

      • B6A.tmp.exe (PID: 4976)

    • Detected use of alternative data streams (AltDS)

      • WmiPrvSE.exe (PID: 4488)

  • INFO

    • Reads the time zone

      • WmiPrvSE.exe (PID: 4488)
      • MusNotifyIcon.exe (PID: 4896)

    • Creates files in the program directory

      • MusNotifyIcon.exe (PID: 4896)
      • Optimizer-16.7.exe (PID: 208)
      • Optimizer-16.7.exe (PID: 7148)
      • svchost.exe (PID: 540)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4740)
      • lang.tmp (PID: 1388)
      • lang.tmp (PID: 736)
      • B6A.tmp.exe (PID: 4976)
      • lang.tmp (PID: 6392)
      • lang.tmp (PID: 2088)

    • Reads the software policy settings

      • WaaSMedicAgent.exe (PID: 2656)
      • SIHClient.exe (PID: 6272)
      • consent.exe (PID: 5260)
      • slui.exe (PID: 3020)
      • CompatTelRunner.exe (PID: 5332)
      • slui.exe (PID: 6592)
      • WerFault.exe (PID: 5552)
      • backgroundTaskHost.exe (PID: 5020)
      • consent.exe (PID: 4608)
      • Optimizer-16.7.exe (PID: 7148)

    • Reads the computer name

      • Optimizer-16.7.exe (PID: 5352)
      • lang.tmp (PID: 1388)
      • lang.tmp (PID: 736)
      • Optimizer-16.7.exe (PID: 208)
      • Optimizer-16.7.exe (PID: 780)
      • 11E6.tmp.exe (PID: 6228)
      • Optimizer-16.7.exe (PID: 2616)
      • B6A.tmp.exe (PID: 4976)
      • Optimizer-16.7.exe (PID: 6960)
      • lang.tmp (PID: 6392)
      • Optimizer-16.7.exe (PID: 3124)
      • lang.tmp (PID: 2088)
      • Optimizer-16.7.exe (PID: 7148)

    • Checks supported languages

      • Optimizer-16.7.exe (PID: 5352)
      • Optimizer-16.7.exe (PID: 2616)
      • lang.exe (PID: 3008)
      • lang.tmp (PID: 736)
      • Optimizer-16.7.exe (PID: 208)
      • 235F.tmp.exe (PID: 1532)
      • Optimizer-16.7.exe (PID: 780)
      • 11E6.tmp.exe (PID: 6228)
      • lang.tmp (PID: 1388)
      • lang.exe (PID: 5332)
      • B6A.tmp.exe (PID: 4976)
      • B6A.tmp.exe (PID: 2852)
      • Optimizer-16.7.exe (PID: 6960)
      • Optimizer-16.7.exe (PID: 3124)
      • lang.tmp (PID: 6392)
      • lang.exe (PID: 2616)
      • lang.exe (PID: 1812)
      • Optimizer-16.7.exe (PID: 7148)
      • lang.tmp (PID: 2088)

    • Process checks computer location settings

      • Optimizer-16.7.exe (PID: 5352)
      • lang.tmp (PID: 1388)
      • Optimizer-16.7.exe (PID: 2616)
      • Optimizer-16.7.exe (PID: 6960)
      • Optimizer-16.7.exe (PID: 3124)
      • lang.tmp (PID: 6392)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4740)

    • Create files in a temporary directory

      • lang.tmp (PID: 1388)
      • lang.exe (PID: 3008)
      • lang.tmp (PID: 736)
      • Optimizer-16.7.exe (PID: 208)
      • explorer.exe (PID: 5492)
      • lang.exe (PID: 5332)
      • B6A.tmp.exe (PID: 4976)
      • lang.exe (PID: 2616)
      • lang.tmp (PID: 6392)
      • lang.exe (PID: 1812)
      • lang.tmp (PID: 2088)
      • Optimizer-16.7.exe (PID: 7148)
      • WerFault.exe (PID: 5552)

    • Reads Environment values

      • Optimizer-16.7.exe (PID: 208)
      • Optimizer-16.7.exe (PID: 7148)

    • Reads product name

      • Optimizer-16.7.exe (PID: 208)
      • Optimizer-16.7.exe (PID: 7148)

    • Creates files or folders in the user directory

      • lang.tmp (PID: 736)
      • 235F.tmp.exe (PID: 1532)
      • WerFault.exe (PID: 5552)
      • lang.tmp (PID: 2088)

    • Reads the machine GUID from the registry

      • Optimizer-16.7.exe (PID: 208)
      • Optimizer-16.7.exe (PID: 780)
      • Optimizer-16.7.exe (PID: 2616)
      • B6A.tmp.exe (PID: 2852)
      • Optimizer-16.7.exe (PID: 3124)
      • Optimizer-16.7.exe (PID: 7148)

    • Creates a software uninstall entry

      • lang.tmp (PID: 736)
      • lang.tmp (PID: 2088)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 812)
      • powershell.exe (PID: 2332)
      • powershell.exe (PID: 1056)
      • powershell.exe (PID: 5740)
      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 632)
      • powershell.exe (PID: 3976)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 1328)
      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 4408)

    • Checks proxy server information

      • explorer.exe (PID: 5492)
      • slui.exe (PID: 6592)
      • WerFault.exe (PID: 5552)
      • backgroundTaskHost.exe (PID: 5020)
      • Optimizer-16.7.exe (PID: 7148)

    • Loads dropped or rewritten executable

      • Optimizer-16.7.exe (PID: 6960)

    • Reads security settings of Internet Explorer

      • RuntimeBroker.exe (PID: 2268)
      • backgroundTaskHost.exe (PID: 5020)

    • Disables trace logs

      • Optimizer-16.7.exe (PID: 7148)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 4488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:04:04 14:05:44
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: tls/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
76
Malicious processes
15
Suspicious processes
13

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe optimizer-16.7.exe no specs lang.exe optimizer-16.7.exe no specs lang.tmp lang.exe optimizer-16.7.exe lang.tmp regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe explorer.exe #SVCSTEALER 235f.tmp.exe regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs optimizer-16.7.exe no specs 11e6.tmp.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs b6a.tmp.exe b6a.tmp.exe no specs svchost.exe no specs svchost.exe no specs conhost.exe no specs svchost.exe no specs conhost.exe no specs waasmedicagent.exe no specs svchost.exe no specs wmiprvse.exe no specs musnotifyicon.exe no specs consent.exe no specs compattelrunner.exe no specs werfault.exe taskhostw.exe no specs sihclient.exe regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe no specs backgroundtaskhost.exe runtimebroker.exe no specs optimizer-16.7.exe no specs lang.exe optimizer-16.7.exe no specs lang.tmp consent.exe no specs lang.exe lang.tmp optimizer-16.7.exe regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\bin\Optimizer-16.7.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\bin\Optimizer-16.7.exe
Optimizer-16.7.exe
User:
admin
Company:
deadmoon © ∞
Integrity Level:
HIGH
Description:
Optimizer
Exit code:
3489660927
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb4740.46152\bin\optimizer-16.7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
540C:\WINDOWS\System32\svchost.exe -k WerSvcGroupC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\msvcrt.dll
632"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
668 /s /i:INSTALL "C:\Users\admin\AppData\Roaming\\d3d118.drv"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
736"C:\Users\admin\AppData\Local\Temp\is-AG7DT.tmp\lang.tmp" /SL5="$70350,2695233,175616,C:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\lang\lang.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-AG7DT.tmp\lang.tmp
lang.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ag7dt.tmp\lang.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
780"C:\Users\admin\AppData\Local\Temp\Rar$EXb4740.4856\bin\Optimizer-16.7.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb4740.4856\bin\Optimizer-16.7.exeWinRAR.exe
User:
admin
Company:
deadmoon © ∞
Integrity Level:
MEDIUM
Description:
Optimizer
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb4740.4856\bin\optimizer-16.7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
812"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWaaSMedicAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
145 119
Read events
144 914
Write events
183
Delete events
22

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000030300
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Optimizer-16.7.zip
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4740) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6272) SIHClient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\sih\sls\{522D76A4-93E1-47F8-B8CE-07C937AD1A1E}\/SLS/{522D76A4-93E1-47F8-B8CE-07C937AD1A1E}/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
Operation:writeName:Expires
Value:
2025-04-07 02:04:12
Executable files
81
Suspicious files
25
Text files
210
Unknown types
0

Dropped files

PID
Process
Filename
Type
6272SIHClient.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\51867C3735CFAECCDB556E146BB12C28binary
MD5:C9F83563ECF15CF675A4207F4FBD5524
SHA256:84AAF3B97C1E91817DF5EE7C854B8D43221EC57BC58AC2670007D369F8A890F4
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4896MusNotifyIcon.exeC:\ProgramData\USOShared\Logs\User\NotifyIcon.4c0a4d9b-e3b9-496e-b459-58fcdf4df1ac.1.etlbinary
MD5:ADB3DCB4A463FD304ADD18544BA3B044
SHA256:9DC198E86A878EDE4195ADFCF74297E6A6FD834FFA7ABEFA0335C63FAF1CBDFB
6272SIHClient.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E94643DE99F5621BC288D045BEA85DDbinary
MD5:BC478E0E8AAF81E1D7117F8EA42BA861
SHA256:7A1808F27132A681D9B048B5B63DFDD24E51E0F46C2B07D23BF798E070A25E13
6272SIHClient.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\51867C3735CFAECCDB556E146BB12C28binary
MD5:A7BEDC2F0BB9F312CD72FCA3B83A5113
SHA256:C94EB6B93DB555B6EE2BD5BE10E6ED5A7B3E3B348F68E7E47629EF61176F6BA0
6272SIHClient.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E94643DE99F5621BC288D045BEA85DDbinary
MD5:4AD6DCE381E37068540D622904370210
SHA256:DF1278D6D941F24C7ED47C3D5B70D672F0D22BF75BAE5FD1916B58F2B6EBF771
4740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\lang\Armenian.initext
MD5:24EDB8749CDD8BD3844F80A98AC189A5
SHA256:08AFE64F3F83B34AF6E4449E2E1DDEA855CEB9A8F1303F2C58E74E9B92093C66
4740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\bin\Optimizer-16.7.exeexecutable
MD5:7F57207F221DB2B08E27D64BC9121B28
SHA256:03A234060541B686AC4265754AFF43DF9325C21383F90E17F831E67965D717F8
4740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\tls\qschannelbackend.dllexecutable
MD5:1D553367047781E4CB8375E0D69F92F9
SHA256:943B8A803D0521BB0F38C70E22BFB2A7AD89BA84DE2724E670563808F89D4FCB
4740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb4740.46152\lang\Arabic.initext
MD5:E80527FE68081449842BD89D0047A27F
SHA256:0858C44E207ADB05C2294290EE3E35B9F2D2C962F56516A5B804754FA20F44C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
36
DNS requests
26
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6272
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5492
explorer.exe
POST
200
185.81.68.156:80
http://185.81.68.156/diamo/post.php
unknown
malicious
5492
explorer.exe
POST
200
185.81.68.156:80
http://185.81.68.156/diamo/post.php
unknown
malicious
5492
explorer.exe
POST
200
185.81.68.156:80
http://185.81.68.156/diamo/post.php
unknown
malicious
5492
explorer.exe
POST
200
185.81.68.156:80
http://185.81.68.156/diamo/post.php
unknown
malicious
5552
WerFault.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5552
WerFault.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6272
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6272
SIHClient.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 20.198.162.78
  • 20.198.162.76
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.131
  • 20.190.160.132
  • 20.190.160.14
  • 20.190.160.2
  • 40.126.32.72
  • 20.190.160.128
  • 20.190.160.5
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.68
  • 20.190.160.64
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
5492
explorer.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Optimizer-16.7.zip