File name:

SW-FREE.exe

Full analysis: https://app.any.run/tasks/98f38763-6445-49f8-82cb-0e42d67856aa
Verdict: Malicious activity
Analysis date: April 29, 2025, 18:07:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

FE38E7C8DB64D5D0A9DFF8369C9BD4F7

SHA1:

D03FF84710BED11BEA3DA029714C8D47DAA204AF

SHA256:

C74954BCC4C4B65489A248B9E522C4C0ABCBE734530F57BB2A5B0AAB101A0638

SSDEEP:

98304:aLx0AI8+M9qZAqGAdW4oJxakBOuHVXVjXWoLU6Gp8Tn5bfgBhLsW/1Zvf+l8QDDo:BcQT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 1328)
      • net.exe (PID: 7712)
      • net.exe (PID: 2420)

  • SUSPICIOUS

    • Execution of CURL command

      • SW-FREE.exe (PID: 4628)

    • Hides command output

      • cmd.exe (PID: 8004)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6972)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 7824)
      • cmd.exe (PID: 456)

    • Starts CMD.EXE for commands execution

      • SW-FREE.exe (PID: 4628)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 5556)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5528)
      • WMIC.exe (PID: 8136)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 6112)

    • Uses WMIC.EXE to obtain network information

      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 8172)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 8104)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 8188)
      • cmd.exe (PID: 4996)

  • INFO

    • VMProtect protector has been detected

      • SW-FREE.exe (PID: 4628)

    • Checks supported languages

      • SW-FREE.exe (PID: 4628)
      • curl.exe (PID: 7520)
      • curl.exe (PID: 7596)
      • curl.exe (PID: 8020)
      • curl.exe (PID: 7800)

    • Reads the computer name

      • curl.exe (PID: 8020)
      • curl.exe (PID: 7520)
      • curl.exe (PID: 7596)
      • curl.exe (PID: 7800)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4812)
      • WMIC.exe (PID: 5528)
      • WMIC.exe (PID: 2088)
      • WMIC.exe (PID: 6048)
      • WMIC.exe (PID: 1452)
      • WMIC.exe (PID: 8116)
      • WMIC.exe (PID: 8136)
      • WMIC.exe (PID: 2664)
      • WMIC.exe (PID: 776)
      • WMIC.exe (PID: 2288)

    • Reads the software policy settings

      • slui.exe (PID: 7248)
      • slui.exe (PID: 3140)

    • Execution of CURL command

      • cmd.exe (PID: 6972)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 7824)
      • cmd.exe (PID: 8004)

    • Checks proxy server information

      • slui.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:08 11:13:09+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 35328
InitializedDataSize: 18944
UninitializedDataSize: -
EntryPoint: 0x691883
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
216
Monitored processes
84
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sw-free.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs curl.exe svchost.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs slui.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs curl.exe cmd.exe no specs curl.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs curl.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs sw-free.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456C:\WINDOWS\system32\cmd.exe /c pause > nulC:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
684C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
776wmic baseboard get serialnumberC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1164C:\WINDOWS\system32\cmd.exe /c wmic nic where (NetConnectionStatus=2) get MACAddressC:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1180C:\WINDOWS\system32\cmd.exe /c pause > nulC:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1328C:\WINDOWS\system32\cmd.exe /c net stop Winmgmt C:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1452wmic bios get serialnumberC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1672C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1812C:\WINDOWS\system32\cmd.exe /c wmic bios get serialnumberC:\Windows\System32\cmd.exeSW-FREE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2088wmic nic where (NetConnectionStatus=2) get MACAddressC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
5 365
Read events
5 365
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
8020curl.exeC:\Windows\applecleaner.exehtml
MD5:A9F2163A24F9F4FCBD1AC0316494EFC6
SHA256:2A9DC761FC33E70926CDBD914E0A347DA90396DF6C316C44899F396E923A855C
7520curl.exeC:\Windows\MemoryIntegrityx64.exehtml
MD5:A9F2163A24F9F4FCBD1AC0316494EFC6
SHA256:2A9DC761FC33E70926CDBD914E0A347DA90396DF6C316C44899F396E923A855C
7800curl.exeC:\Windows\applecleaner.exehtml
MD5:A9F2163A24F9F4FCBD1AC0316494EFC6
SHA256:2A9DC761FC33E70926CDBD914E0A347DA90396DF6C316C44899F396E923A855C
7596curl.exeC:\Windows\SteelSeriesGG.syshtml
MD5:A9F2163A24F9F4FCBD1AC0316494EFC6
SHA256:2A9DC761FC33E70926CDBD914E0A347DA90396DF6C316C44899F396E923A855C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32
DNS requests
21
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7840
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
lsass.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
756
lsass.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
7840
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.6
  • 23.216.77.13
  • 23.216.77.21
  • 23.216.77.17
  • 23.216.77.16
  • 23.216.77.7
  • 23.216.77.20
  • 23.216.77.22
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.134
  • 20.190.160.64
  • 40.126.32.74
  • 40.126.32.76
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
link.storjshare.io
  • 185.244.226.2
malicious

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
8020
curl.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
8020
curl.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
7520
curl.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
7520
curl.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
7596
curl.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
7596
curl.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SW-FREE.exe