| File name: | Fleasion-CLI-Crivals5.zip |
| Full analysis: | https://app.any.run/tasks/728c2343-0078-40c5-90ba-24556c259d1c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 13, 2025, 16:20:43 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=store |
| MD5: | A33F1A95375D7BE45969EDAB792A4CE1 |
| SHA1: | 3C9F850E61621540B1E442543164A69E5906D5DB |
| SHA256: | 7787A5EF0252B0EF27CF7E24A9833CC8B8D5F4A45370E38376A3F0E78938AA4C |
| SSDEEP: | 6144:mQ787BJ9e8csaG7jDGMJZ138dNEn6ZL3HcblVNeVlMQv:mS87Bq8csaG7vGMJ/38dJL3HSzebM0 |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 2040)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3668)
- WinRAR.exe (PID: 2040)
Application launched itself
- cmd.exe (PID: 3668)
Executable content was dropped or overwritten
- python-installer.exe (PID: 5424)
- curl.exe (PID: 5456)
- python-installer.exe (PID: 3768)
- python-3.13.1-amd64.exe (PID: 2980)
Executes as Windows Service
- VSSVC.exe (PID: 6304)
Starts itself from another location
- python-installer.exe (PID: 5424)
Searches for installed software
- python-installer.exe (PID: 5424)
- dllhost.exe (PID: 472)
Reads security settings of Internet Explorer
- python-installer.exe (PID: 5424)
The process drops C-runtime libraries
- python-3.13.1-amd64.exe (PID: 2980)
- msiexec.exe (PID: 6512)
- python-installer.exe (PID: 5424)
Process drops legitimate windows executable
- python-installer.exe (PID: 5424)
- python-3.13.1-amd64.exe (PID: 2980)
- msiexec.exe (PID: 6512)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 2040)
Process drops python dynamic module
- msiexec.exe (PID: 6512)
INFO
Reads security settings of Internet Explorer
- notepad.exe (PID: 4968)
- notepad.exe (PID: 6292)
- notepad.exe (PID: 6868)
- notepad.exe (PID: 3628)
- notepad.exe (PID: 4684)
Manual execution by a user
- notepad.exe (PID: 4968)
- notepad.exe (PID: 6292)
- notepad.exe (PID: 3628)
- cmd.exe (PID: 3668)
- notepad.exe (PID: 6868)
- notepad.exe (PID: 4684)
Create files in a temporary directory
- curl.exe (PID: 5456)
- python-installer.exe (PID: 3768)
- python-installer.exe (PID: 5424)
Reads the computer name
- curl.exe (PID: 5456)
- python-3.13.1-amd64.exe (PID: 2980)
- python-installer.exe (PID: 5424)
Checks supported languages
- curl.exe (PID: 5456)
- curl.exe (PID: 3844)
- python-installer.exe (PID: 3768)
- python-installer.exe (PID: 5424)
- python-3.13.1-amd64.exe (PID: 2980)
Checks operating system version
- cmd.exe (PID: 3668)
Execution of CURL command
- cmd.exe (PID: 3668)
The sample compiled with english language support
- curl.exe (PID: 5456)
- python-installer.exe (PID: 3768)
- python-installer.exe (PID: 5424)
- python-3.13.1-amd64.exe (PID: 2980)
- msiexec.exe (PID: 6512)
Process checks computer location settings
- python-installer.exe (PID: 5424)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6512)
Manages system restore points
- SrTasks.exe (PID: 7120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2025:06:06 17:44:00 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | Fleasion-CLI-Crivals/ |
Total processes
160
Monitored processes
24
Malicious processes
3
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 472 | C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1332 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1720 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2028 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR2040.6478\Rar$Scan102249.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2040 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Fleasion-CLI-Crivals5.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 2324 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2460 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2980 | "C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\.be\python-3.13.1-amd64.exe" -q -burn.elevated BurnPipe.{59A682B9-4780-4B61-B66B-C80E9AC3E458} {AE9DCBAD-7D05-441A-AB6C-0CDE76275334} 5424 | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\.be\python-3.13.1-amd64.exe | python-installer.exe | ||||||||||||
User: admin Company: Python Software Foundation Integrity Level: HIGH Description: Python 3.13.1 (64-bit) Version: 3.13.1150.0 Modules
| |||||||||||||||
| 3628 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\log.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3668 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\run.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
24 830
Read events
21 981
Write events
2 792
Delete events
57
Modification events
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Fleasion-CLI-Crivals5.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
69
Suspicious files
58
Text files
2 027
Unknown types
43
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 472 | dllhost.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 5424 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\lib_AllUsers | — | |
MD5:— | SHA256:— | |||
| 5424 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\.ba\Default.wxl | xml | |
MD5:E1A9ABB2936BC6E980C9BACEBE71C5A9 | SHA256:7F30044D0B14262F8BACD2891A810B127550CA56FC4D0E1D619AE489AAF6EC18 | |||
| 5424 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\.be\python-3.13.1-amd64.exe | executable | |
MD5:9BC2CFCE73FE043E69C909FB1546DBBF | SHA256:BA89D23A7C937C05FEBA316A927773FAAF7BECFB2279D9EDAC6CC11E31205E29 | |||
| 5424 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\exe_AllUsers | executable | |
MD5:B9D43D530E11B38D35EC8005BC4AD099 | SHA256:7803A9AC06A96048683CAA4349E01FF9EBBB7C71507AA90901860FAF3F5DBED7 | |||
| 5424 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\.ba\PythonBA.dll | executable | |
MD5:E8CD5641CAE8AE7E9F98B8A3B7096808 | SHA256:898474AD4074571813416E58667A3B8A233E12E656579726C178EC71F794B268 | |||
| 3768 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2C0F3FCF-365E-4ED7-847F-65516F8B961E}\.cr\python-installer.exe | executable | |
MD5:9BC2CFCE73FE043E69C909FB1546DBBF | SHA256:BA89D23A7C937C05FEBA316A927773FAAF7BECFB2279D9EDAC6CC11E31205E29 | |||
| 5424 | python-installer.exe | C:\Users\admin\AppData\Local\Temp\{2451027D-1002-4BF4-8D66-B4A3A04213AB}\.ba\Default.thm | xml | |
MD5:1D2CBC76A6A70F60729EE66D6876BB66 | SHA256:D0D3351D4CDE77EB245B026D677E4AE5177A50EE0B9A43DB23349F1AB5DEEDC9 | |||
| 2980 | python-3.13.1-amd64.exe | C:\ProgramData\Package Cache\.unverified\lib_AllUsers | — | |
MD5:— | SHA256:— | |||
| 2980 | python-3.13.1-amd64.exe | C:\ProgramData\Package Cache\{29A3DBE6-A3D3-42C9-9338-A321F61C897A}v3.13.1150.0\lib.msi | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
23
DNS requests
11
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3964 | RUXIMICS.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3964 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6512 | msiexec.exe | GET | 200 | 204.79.197.203:80 | http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D | unknown | — | — | whitelisted |
6512 | msiexec.exe | GET | 200 | 204.79.197.203:80 | http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTh4QXD3xfHaxna9yfH20h%2Ft5LfbQQUZZ9RzoVofy%2BKRYiq3acxux4NAF4CEzMAATrAmwCycB81MNQAAAABOsA%3D | unknown | — | — | whitelisted |
6512 | msiexec.exe | GET | 200 | 204.79.197.203:80 | http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAF%2B3pcMhNh310AAAAAAAU%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 151.101.64.223:443 | https://www.python.org/ftp/python/3.13.1/python-3.13.1-amd64.exe | unknown | executable | 27.3 Mb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3964 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3964 | RUXIMICS.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
3964 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.python.org |
| whitelisted |
oneocsp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |