File name:

wexside.7z

Full analysis: https://app.any.run/tasks/fd5aeb39-553f-4ee0-b498-8c4ca155746c
Verdict: Malicious activity
Analysis date: June 08, 2025, 21:12:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

8088769807AEFF388BDA19A6EBBD01ED

SHA1:

34C262059F403B71047AFD9ABBEA3011E46606E0

SHA256:

617C5C6636536AECC37054205687A4044F9BD17345A71C558A42218609C74CCA

SSDEEP:

196608:p9OmpIsnhcHO4XPuPRNgrZ5qsGcV9Ga/jRqnzXWHTfoIR8M:vGouOWPQzgrmmd9qzX2N2M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7048)

  • SUSPICIOUS

    • Executes application which crashes

      • MSBuild.exe (PID: 7000)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 7048)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 7048)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7048)

  • INFO

    • Checks supported languages

      • wexside-new.exe (PID: 6248)
      • MSBuild.exe (PID: 7000)
      • MpCmdRun.exe (PID: 8044)

    • Manual execution by a user

      • wexside-new.exe (PID: 6248)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 7000)

    • Reads the computer name

      • MSBuild.exe (PID: 7000)
      • MpCmdRun.exe (PID: 8044)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1852)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7048)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 8044)

    • Checks proxy server information

      • slui.exe (PID: 5624)

    • Reads the software policy settings

      • slui.exe (PID: 5624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2025:06:07 07:13:40+00:00
ArchivedFileName: wexside
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
9
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe wexside-new.exe no specs conhost.exe no specs msbuild.exe werfault.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1852C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7000 -s 856C:\Windows\SysWOW64\WerFault.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewexside-new.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5624C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6248"C:\Users\admin\Desktop\wexside-new.exe" C:\Users\admin\Desktop\wexside-new.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\wexside-new.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6876C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7048.5688\Rar$Scan110766.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7000"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
wexside-new.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
3221225477
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7048"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\wexside.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8044"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7048.5688"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
Total events
6 797
Read events
6 787
Write events
10
Delete events
0

Modification events

(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\wexside.7z
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(7048) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
Executable files
2
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_d6d361fb51dc191b263f33ce496b8bf9d4dec4_59a9f4ae_d9ba8949-9838-4213-b912-f714e3b43468\Report.wer
MD5:
SHA256:
1852WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\MSBuild.exe.7000.dmp
MD5:
SHA256:
7048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7048.5688\wexside.7z\wexside\wexside-new.exeexecutable
MD5:8F26514A5E46FD9AEB0E3762C2BA5198
SHA256:116053DDEE75E67C04DA90BD19202DA3D2A47F189C47A4126E248A5E3F6A6B91
7048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7048.5688\wexside.7z\wexside\cfg.dllexecutable
MD5:92D8E195ADDD7C6AE9589311D9DDFE46
SHA256:95E62B3EE2A56D9661E5401148B9A7617E1AF252A5F20915A527ECB9698DE510
1852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3D02.tmp.WERInternalMetadata.xmlxml
MD5:A337226EC84551BC31E9ABE3E5EB8A0D
SHA256:F789D14BD9C18B423EF9A05334F1F92FD49359BFA03326FE6B1CBB6CC22353A5
1852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3D22.tmp.xmlxml
MD5:58853AD9F4D795C0717257DB5D38CD09
SHA256:63B296294A88037A61EF5984F2E07D47FF522D39EBAE01435C5D8BC616306191
8044MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logtext
MD5:947E7A2624D063CD59CD15C84DA02926
SHA256:9F204095C930937B2E794C04D65349097B57B7E74C4A533953356FA5628BB32D
7048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR7048.5688\Rar$Scan110766.battext
MD5:6AFA3E5334D25768A804AA236FBB3385
SHA256:CB21E458F414F4B51D7239562EC75999CB8246F4E379A1D606323E031052FD82
1852WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3C17.tmp.dmpbinary
MD5:2B322019675C62F79210FFEBC77E5C09
SHA256:9134E1D9D7D47C2075D3A95D2AD296CB85D089BF912A77162DAC0009CADF3756
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7320
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5624
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.38
  • 23.216.77.39
  • 23.216.77.43
  • 23.216.77.41
  • 23.216.77.4
  • 23.216.77.10
  • 23.216.77.13
  • 23.216.77.7
  • 23.216.77.11
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.50.73.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wexside.7z