| File name: | M Centers 8th Edition 8.0.1.3 x64.zip |
| Full analysis: | https://app.any.run/tasks/f99e46ca-8a4e-4d70-8032-9773f96ccc27 |
| Verdict: | Malicious activity |
| Analysis date: | June 13, 2025, 18:23:14 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 45E79C6885617D804B3CD32374B73C35 |
| SHA1: | 4FDBFF28617C4A42DF7584767BB55970CC071411 |
| SHA256: | FD7AF6283FEED5A93D769D404BFC3A6F1F8361823CBB51D12A9EE9A5640AE654 |
| SSDEEP: | 98304:+rdi5SFDA2BoLpKuiZUwHKvCecouqe1QnG43FX1fezTCO8zP8beNokNabAbxAk6Y:UkBT5Ky0KD |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 1984)
MENORAH has been detected (YARA)
- M Centers.exe (PID: 6512)
SUSPICIOUS
Reads security settings of Internet Explorer
- M Centers.exe (PID: 6512)
The process executes via Task Scheduler
- updater.exe (PID: 5348)
Application launched itself
- updater.exe (PID: 5348)
INFO
Manual execution by a user
- M Centers.exe (PID: 6512)
- WinRAR.exe (PID: 6180)
- M Centers.exe (PID: 1896)
- FileHistory.exe (PID: 7060)
The sample compiled with english language support
- WinRAR.exe (PID: 6180)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 6180)
Reads the computer name
- M Centers.exe (PID: 6512)
- updater.exe (PID: 5348)
Checks supported languages
- M Centers.exe (PID: 6512)
- updater.exe (PID: 5348)
- updater.exe (PID: 3668)
Reads the machine GUID from the registry
- M Centers.exe (PID: 6512)
Reads Environment values
- M Centers.exe (PID: 6512)
Creates files in the program directory
- M Centers.exe (PID: 6512)
Disables trace logs
- M Centers.exe (PID: 6512)
Checks proxy server information
- M Centers.exe (PID: 6512)
- slui.exe (PID: 6404)
Reads the software policy settings
- M Centers.exe (PID: 6512)
- slui.exe (PID: 6404)
Reads security settings of Internet Explorer
- FileHistory.exe (PID: 7060)
Process checks whether UAC notifications are on
- updater.exe (PID: 5348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .kmz | | | Google Earth saved working session (60) |
|---|---|---|
| .zip | | | ZIP compressed archive (40) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2021:10:10 00:11:58 |
| ZipCRC: | 0x45488a5b |
| ZipCompressedSize: | 125804 |
| ZipUncompressedSize: | 228352 |
| ZipFileName: | FluentWPF.dll |
Total processes
132
Monitored processes
9
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1896 | "C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe" | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe | — | explorer.exe | |||||||||||
User: admin Company: M Centers Integrity Level: MEDIUM Description: M Centers 8th Edition Exit code: 3221226540 Version: 8.0.1.3 Modules
| |||||||||||||||
| 1984 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3388 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3668 | "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478 | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe | — | updater.exe | |||||||||||
User: SYSTEM Company: Google LLC Integrity Level: SYSTEM Description: Google Updater Exit code: 0 Version: 134.0.6985.0 Modules
| |||||||||||||||
| 5348 | "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --system | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Google LLC Integrity Level: SYSTEM Description: Google Updater Exit code: 0 Version: 134.0.6985.0 Modules
| |||||||||||||||
| 6180 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64.zip" "C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 6404 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6512 | "C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe" | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe | explorer.exe | ||||||||||||
User: admin Company: M Centers Integrity Level: HIGH Description: M Centers 8th Edition Exit code: 0 Version: 8.0.1.3 Modules
| |||||||||||||||
| 7060 | "C:\WINDOWS\System32\FileHistory.exe" "C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe" | C:\Windows\System32\FileHistory.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: File History Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 560
Read events
12 508
Write events
52
Delete events
0
Modification events
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64.zip | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1984) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
5
Suspicious files
2
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\FluentWPF.dll | executable | |
MD5:908668FFDE26AB371A2EF711206AA05D | SHA256:8E136EC981ED7D7ABF0C8153DB901FCD9E7A311A61E209D88A9CA2B51FC17838 | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\MCentersLibrary.dll | executable | |
MD5:B7E0FAE475B740863FF755F83C797D81 | SHA256:A72909C32B024DD8304BD62472A18B778411456AF0FC1AC74DE762D1258917E3 | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe | executable | |
MD5:1D3D75FA1C81B55D68500D95A92807FB | SHA256:5F405489A7F6C67BBCC130EBBB272A99BDE94B0D01B1B958F6F05580FB58A2D3 | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\MaterialDesignColors.dll | executable | |
MD5:51544FC07BB8B88D2F1E87B8F4C32CE6 | SHA256:F06826845732D945421C341C8D1ABB337AB9A2E757D90A763AC618AA445BF63E | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\MaterialDesignThemes.Wpf.dll | executable | |
MD5:05347205B59C343705C5B1DA21D8F9D3 | SHA256:F8144C2D063144A98E6FAA4E4D6F11CB3D08D20313E196CDD03ADDB8186CA6FD | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\MaterialDesignThemes.Wpf.xml | xml | |
MD5:1BB82BBB22468938D4B9D2D138C548FB | SHA256:D016AA634C248F9F6D954C4E8836996637C8D2F2E01077E99F58D3D64DAADDFD | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.exe.config | xml | |
MD5:FC89142FBA7697E848F0E0C5951D86F1 | SHA256:D9FF2B6C916E5B42BC486855EEBFBD9E5E409C01D49FC264850FDE2AC9268820 | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\MCentersLibrary.pdb | binary | |
MD5:3871173661F95706FC1E6A5A698D0E77 | SHA256:5BD064D84D0650070F855F5C56EF2116F963938E2AE992179041D4DD3977FA1A | |||
| 6180 | WinRAR.exe | C:\Users\admin\Desktop\M Centers 8th Edition 8.0.1.3 x64\M Centers.pdb | binary | |
MD5:A0D02EB06DFE43AEF9CB905E2B86EBD9 | SHA256:CA4C956947FDFCAE838FD27CF9A719A97AB43F85AB994FCCB352662ED0AFED37 | |||
| 3668 | updater.exe | C:\Program Files (x86)\Google\GoogleUpdater\updater.log | text | |
MD5:5938A2C962031CE8372C3C70A309F5F5 | SHA256:AE4496308CEF0BB0B1E195D477CBA4287E3AF38C434C6ADEF7638ADF7FEF3042 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
24
DNS requests
7
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | GET | 404 | 140.82.121.4:443 | https://raw.githubusercontent.com/tinedpakgamer/M-Centers-8.0/master/CurrentVersion.txt | unknown | text | 14 b | whitelisted |
— | — | GET | 404 | 140.82.121.4:443 | https://raw.githubusercontent.com/tinedpakgamer/mcenterdlls/main/main | unknown | text | 14 b | whitelisted |
— | — | GET | 404 | 140.82.121.4:443 | https://raw.githubusercontent.com/tinedpakgamer/mcenterdlls/main/main | unknown | text | 14 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
— | — | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
raw.githubusercontent.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |