Malware analysis Release.zip Malicious activity | ANY.RUN

Add for printing

File name:	Release.zip
Full analysis:	https://app.any.run/tasks/209a24a8-0fd9-4d4a-bda6-0c9a79003a3e
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 08, 2025, 16:31:06
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc loader iqvw64e-sys vuln-driver
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	6B727DF522DF66EB8EE0A79218B10E37
SHA1:	72FBBE3CD73515DFDC229A2B1688562625092B35
SHA256:	81B7C12306ABC4B59BCC1F946975D6E03E74EC78C3A1D4803A211D8A70EDF0CA
SSDEEP:	6144:TKCWUxkndiLwKvBO4Al2I78wJ34XveSP4GuAtEPXif5O1fUrl:TPBx0iLwKvBO4m2IgwJXSSAtffOcrl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 6240)
- Vulnerable driver has been detected
  - mapper.exe (PID: 5928)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - Temp base.exe (PID: 6260)
- Hides command output
  - cmd.exe (PID: 3620)
  - cmd.exe (PID: 2764)
  - cmd.exe (PID: 3632)
  - cmd.exe (PID: 3752)
  - cmd.exe (PID: 7000)
  - cmd.exe (PID: 2212)
- Execution of CURL command
  - Temp base.exe (PID: 6260)
- Executing commands from a ".bat" file
  - Temp base.exe (PID: 6260)
- Reads the date of Windows installation
  - Temp base.exe (PID: 6260)
- Reads security settings of Internet Explorer
  - Temp base.exe (PID: 6260)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 2512)
  - WMIC.exe (PID: 2696)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 4880)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 6372)
- Accesses computer name via WMI (SCRIPT)
  - WMIC.exe (PID: 6372)
- Uses WMIC.EXE to obtain memory chip information
  - cmd.exe (PID: 4880)
- Uses WMIC.EXE to obtain CPU information
  - cmd.exe (PID: 4880)
- Uses WMIC.EXE to obtain physical disk drive information
  - cmd.exe (PID: 4880)
- Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)
  - cmd.exe (PID: 4880)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 4880)
- Executable content was dropped or overwritten
  - curl.exe (PID: 4040)
  - curl.exe (PID: 5548)
  - mapper.exe (PID: 5928)
- Drops a system driver (possible attempt to evade defenses)
  - curl.exe (PID: 4040)
- Process requests binary or script from the Internet
  - curl.exe (PID: 5548)
- Potential Corporate Privacy Violation
  - curl.exe (PID: 5548)
- Uses WMIC.EXE to obtain network information
  - cmd.exe (PID: 4880)
- Stops a currently running service
  - sc.exe (PID: 1232)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3752)
  - cmd.exe (PID: 2212)
- Windows service management via SC.EXE
  - sc.exe (PID: 6376)
- Creates or modifies Windows services
  - mapper.exe (PID: 5928)
INFO
- Manual execution by a user
  - Temp base.exe (PID: 3876)
  - Temp base.exe (PID: 6260)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6240)
- Reads the computer name
  - Temp base.exe (PID: 6260)
  - curl.exe (PID: 4844)
  - curl.exe (PID: 4040)
  - curl.exe (PID: 5548)
- Checks supported languages
  - Temp base.exe (PID: 6260)
  - curl.exe (PID: 4844)
  - mode.com (PID: 7000)
  - curl.exe (PID: 5548)
  - curl.exe (PID: 4040)
  - mapper.exe (PID: 5928)
- Execution of CURL command
  - cmd.exe (PID: 3620)
  - cmd.exe (PID: 3632)
  - cmd.exe (PID: 2764)
- Process checks computer location settings
  - Temp base.exe (PID: 6260)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 7000)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 2072)
  - WMIC.exe (PID: 2512)
  - WMIC.exe (PID: 2160)
  - WMIC.exe (PID: 6372)
  - WMIC.exe (PID: 2696)
  - WMIC.exe (PID: 1564)
  - WMIC.exe (PID: 7160)
  - WMIC.exe (PID: 756)
- Create files in a temporary directory
  - mapper.exe (PID: 5928)
- The sample compiled with english language support
  - mapper.exe (PID: 5928)
- Checks proxy server information
  - slui.exe (PID: 3636)
- Reads the software policy settings
  - slui.exe (PID: 3636)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:07:08 18:30:50
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Release/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

171

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

756

wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

1232

sc stop iqvw64e

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1564

wmic diskdrive get serialnumber

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

1632

"C:\Windows\System32\cmd.exe" /k ""C:\Windows\System32\mapper.exe" "C:\Windows\System32\Driver.sys" & echo. & echo ========== [LamaSpoofer] Mapping Finished ==========& pause"

C:\Windows\System32\cmd.exe

—

Temp base.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1636

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1740

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2032

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2072

wmic baseboard get serialnumber

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

2160

wmic memorychip get serialnumber

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

Add for printing

Total events

9 799

Read events

9 760

Write events

Delete events

Modification events


(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Release.zip
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6240) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6240	WinRAR.exe	C:\Users\admin\Desktop\Release\imgui.ini		text
		MD5:9B1539431B2AD1B386B275252E9CCE51	SHA256:24CB6F9AB027B03A7CB0D155FF245C37A55C17C525AD3D3A6C4351B4FEFB6AD7
5548	curl.exe	C:\Windows\System32\mapper.exe		executable
		MD5:A3395163AC66E65A392B59E87A79499D	SHA256:F34BFACD3A6CBFF4E9964A7C9739B5F74417BED6D5A8DDCAE8A2D0519CABAA84
5928	mapper.exe	C:\Users\admin\AppData\Local\Temp\nTxewYEwEtxfxnZX		executable
		MD5:1898CEDA3247213C084F43637EF163B3	SHA256:4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
4040	curl.exe	C:\Windows\System32\Driver.sys		executable
		MD5:2D068886EEF3C2E7235525BAA276ADF2	SHA256:6CE01851361B94A05EDC7DAEBA510D3CBB884B5AF6D541C2B11BFC1D2F77F954
6240	WinRAR.exe	C:\Users\admin\Desktop\Release\Temp base.exe		executable
		MD5:08D72BB7D7C719E4F2D0BB7825C7FB35	SHA256:1079EC1388FCA1AD197E1269E6928AB5F80DC8B98102C3B80EF4B3A0BB0323D3
6240	WinRAR.exe	C:\Users\admin\Desktop\Release\serialsold.txt		text
		MD5:C6E1C8437D13948B45AE91E92DBCA772	SHA256:6D7995AAD9974118B7DFB416368D41CE9FBD2C9F71BBDBBD9DC071CC6D012080
4844	curl.exe	C:\Windows\System32\checker.bat		text
		MD5:119A816FB17E3C634DEDA5FA650BBB50	SHA256:8E04607E18F90A99E360F4BFFE37102B20006143859C87AE845694512B41094F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7060	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3572	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3572	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
764	lsass.exe	GET	200	104.18.20.213:80	http://e5.c.lencr.org/115.crl	unknown	—	—	whitelisted
5548	curl.exe	GET	200	217.160.0.24:80	http://velocity.rip/kdmapper.exe	unknown	—	—	unknown
2940	svchost.exe	GET	200	2.23.197.184:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4100	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
7060	svchost.exe	20.190.159.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7060	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	2.23.246.101 23.35.229.160	whitelisted
login.live.com	20.190.159.71 40.126.31.71 40.126.31.129 20.190.159.75 20.190.159.130 40.126.31.73 40.126.31.0 20.190.159.4	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
nexusrules.officeapps.live.com	52.111.227.14	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
files.catbox.moe	108.181.20.35	malicious

Threats

PID	Process	Class	Message
4844	curl.exe	Potentially Bad Traffic	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
4040	curl.exe	Potentially Bad Traffic	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5548	curl.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5548	curl.exe	Misc activity	ET INFO Packed Executable Download

Add for printing

No debug info

General Info

Release.zip

6B727DF522DF66EB8EE0A79218B10E37

72FBBE3CD73515DFDC229A2B1688562625092B35

81B7C12306ABC4B59BCC1F946975D6E03E74EC78C3A1D4803A211D8A70EDF0CA

6144:TKCWUxkndiLwKvBO4Al2I78wJ34XveSP4GuAtEPXif5O1fUrl:TPBx0iLwKvBO4m2IgwJXSSAtffOcrl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Vulnerable driver has been detected

SUSPICIOUS

Starts CMD.EXE for commands execution

Hides command output

Execution of CURL command

Executing commands from a ".bat" file

Reads the date of Windows installation

Reads security settings of Internet Explorer

Accesses product unique identifier via WMI (SCRIPT)

Uses WMIC.EXE to obtain a list of video controllers

Accesses video controller name via WMI (SCRIPT)

Accesses computer name via WMI (SCRIPT)

Uses WMIC.EXE to obtain memory chip information

Uses WMIC.EXE to obtain CPU information

Uses WMIC.EXE to obtain physical disk drive information

Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

Uses WMIC.EXE to obtain Windows Installer data

Executable content was dropped or overwritten

Drops a system driver (possible attempt to evade defenses)

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Uses WMIC.EXE to obtain network information

Stops a currently running service

Starts SC.EXE for service management

Windows service management via SC.EXE

Creates or modifies Windows services

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads the computer name

Checks supported languages

Execution of CURL command

Process checks computer location settings

Starts MODE.COM to configure console settings

Reads security settings of Internet Explorer

Create files in a temporary directory

The sample compiled with english language support

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules