Malware analysis reloc.zip Malicious activity | ANY.RUN

Add for printing

File name:	reloc.zip
Full analysis:	https://app.any.run/tasks/114766d9-a37e-4021-9799-30eafcc112aa
Verdict:	Malicious activity
Analysis date:	April 27, 2023, 06:39:24
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	8DFE899B30B8D2F7DD00913FFA5EB832
SHA1:	22D686BEE3871CAD53431477754BA0F699D961AD
SHA256:	EABC6724A7EF0793C73F78B427E940C63551896FE84F3AA83630581973D614CA
SSDEEP:	12288:BsUnvOi5J43tB4wbe2LOVDGbKapJZTwFsUnvOi5J43to4e1rDoNk:eUl5JwB4OeLyp8CUl5Jwo4e1HB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
Opera 12.15 (12.15.1748)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Add for printing

MALICIOUS
- Runs injected code in another process
  - SystemSettings.exe (PID: 1204)
- Application was injected by another process
  - msedge.exe (PID: 6628)
SUSPICIOUS
- Connects to unusual port
  - autorun.exe (PID: 6600)
- Reads settings of System Certificates
  - SystemSettings.exe (PID: 1204)
INFO
- Manual execution by a user
  - SILan.exe (PID: 3344)
  - cmd.exe (PID: 4224)
  - SILan.exe (PID: 6404)
  - notepad.exe (PID: 5780)
  - SILan.exe (PID: 1916)
- Checks supported languages
  - SILan.exe (PID: 3344)
  - SystemSettings.exe (PID: 1204)
  - SILan.exe (PID: 6404)
  - autorun.exe (PID: 4712)
  - SILan.exe (PID: 1916)
  - autorun.exe (PID: 5224)
  - autorun.exe (PID: 6600)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2732)
- Reads the computer name
  - autorun.exe (PID: 6600)
  - SystemSettings.exe (PID: 1204)
  - autorun.exe (PID: 4712)
  - autorun.exe (PID: 5224)
- The process checks LSA protection
  - SystemSettings.exe (PID: 1204)
  - slui.exe (PID: 5172)
  - autorun.exe (PID: 6600)
  - conhost.exe (PID: 5088)
  - autorun.exe (PID: 4712)
  - notepad.exe (PID: 5780)
  - autorun.exe (PID: 5224)
- Process checks computer location settings
  - SystemSettings.exe (PID: 1204)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	reloc/
ZipUncompressedSize:	-
ZipCompressedSize:	-
ZipCRC:	0x00000000
ZipModifyDate:	2023:04:25 14:21:52
ZipCompression:	None
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1204

"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel

C:\Windows\ImmersiveControlPanel\SystemSettings.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Settings

Exit code:

Version:

10.0.19041.1266 (WinBuild.160101.0800)

Modules

Images
c:\windows\immersivecontrolpanel\systemsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll

1916

"C:\Users\Public\reloc\SILan.exe"

C:\Users\Public\reloc\SILan.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

SILan MFC Application

Exit code:

Version:

1, 0, 0, 1

Modules

Images
c:\users\public\reloc\silan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll

2732

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\reloc.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

3344

"C:\Users\Public\reloc\SILan.exe"

C:\Users\Public\reloc\SILan.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

SILan MFC Application

Exit code:

Version:

1, 0, 0, 1

Modules

Images
c:\users\public\reloc\silan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

4180

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft OneDriveFile Co-Authoring Executable

Exit code:

Version:

19.043.0304.0013

Modules

Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

4224

"C:\WINDOWS\system32\cmd.exe"

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll

4712

C:\Users\Public\reloc\autorun.exe

—

SILan.exe

User:

admin

Company:

CyberLink Corp.

Integrity Level:

MEDIUM

Description:

PowerDVD Language Application

Exit code:

Version:

1.00.3413

Modules

Images
c:\users\public\reloc\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

5088

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5172

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

5224

C:\Users\Public\reloc\autorun.exe

—

SILan.exe

User:

admin

Company:

CyberLink Corp.

Integrity Level:

MEDIUM

Description:

PowerDVD Language Application

Exit code:

Version:

1.00.3413

Modules

Images
c:\users\public\reloc\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

10 060

Read events

9 992

Write events

Delete events

Modification events


(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 003C050012F8FE6A437AD701
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\SpybotAntiBeaconPortable-safer-networking.org_3.7.0.paf.zip
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.cab
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.zip
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2732) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1204) SystemSettings.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\88000105
Operation:	write	Name:	HasValidContent
Value: 0
(PID) Process:	(1204) SystemSettings.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\88000105
Operation:	write	Name:	SubscriptionContext
Value: sc-allCompleted=0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2732	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2732.6073\reloc\0\language.dll		executable
		MD5:7108D24F6F0E5799CD845F4154BB99B3	SHA256:3E5104EEB79E10C6EB853BD1F2784054A97F8A28F5281BF69D5EC57C7F208E89
2732	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2732.6073\reloc\autorun.exe		executable
		MD5:86810E2D993F7327EB5B25B5D17D21C1	SHA256:63636CEC408ACBBC4D04C01F9EFDBE4B9B08FA0C4390EC8729B9FF0C8BE9D246
1204	SystemSettings.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms~RF458369.TMP		binary
		MD5:4FCB2A3EE025E4A10D21E1B154873FE2	SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
1204	SystemSettings.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AD11DW7GGAFTLNVN1JY.temp		binary
		MD5:4FCB2A3EE025E4A10D21E1B154873FE2	SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
2732	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2732.6073\reloc\templateG.txt		binary
		MD5:83CF3F61C69BBCD1076DBC806758D9ED	SHA256:DD49D899381088D086A7A43DFB338DF57204D3A70DF9333FDF9C79F0D94F07F3
2732	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2732.6073\reloc\language.dll		executable
		MD5:7108D24F6F0E5799CD845F4154BB99B3	SHA256:3E5104EEB79E10C6EB853BD1F2784054A97F8A28F5281BF69D5EC57C7F208E89
1204	SystemSettings.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms		binary
		MD5:4FCB2A3EE025E4A10D21E1B154873FE2	SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
4180	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-04-27.0642.4180.1.odl		binary
		MD5:1EF798032E6679CD6B8169EE56FF230D	SHA256:39015E15C34C61E9C66A0E5AFAC41B9FA3B740C6BB424A37E8E4F99348CC43FE
4180	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-04-27.0642.4180.1.aodl		binary
		MD5:923BF0E545D9C37CA8874C8D6C4A30E6	SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
6628	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State		text
		MD5:75F04DBAE225F24516B7AEEBFA6D9424	SHA256:4980E1EAAB806970CA4EC5467267D66ACC13AA141A45618EC9DE28875C1AEDFD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4736	SearchApp.exe	GET	200	192.229.221.95:80	http://crl3.digicert.com/Omniroot2025.crl	US	der	7.78 Kb	whitelisted
5756	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
6400	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	der	409 b	whitelisted
5952	MoUsoCoreWorker.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	der	1.11 Kb	whitelisted
4736	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	US	der	471 b	whitelisted
6400	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	der	418 b	whitelisted
5952	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	der	814 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5952	MoUsoCoreWorker.exe	95.101.54.122:80	—	Akamai International B.V.	DE	suspicious
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious
4736	SearchApp.exe	2.16.186.203:443	—	Akamai International B.V.	DE	whitelisted
5756	svchost.exe	20.190.159.0:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5756	svchost.exe	20.190.159.75:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	95.101.54.128:80	—	Akamai International B.V.	DE	suspicious
—	—	20.190.159.0:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious
6400	SIHClient.exe	20.114.59.183:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
officeclient.microsoft.com	52.109.56.117	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
nexusrules.officeapps.live.com	20.224.151.203	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	13.77.207.86	whitelisted
licensing.mp.microsoft.com	20.123.104.105	whitelisted
l2.pic447.com	103.116.15.2	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

reloc.zip

8DFE899B30B8D2F7DD00913FFA5EB832

22D686BEE3871CAD53431477754BA0F699D961AD

EABC6724A7EF0793C73F78B427E940C63551896FE84F3AA83630581973D614CA

12288:BsUnvOi5J43tB4wbe2LOVDGbKapJZTwFsUnvOi5J43to4e1rDoNk:eUl5JwB4OeLyp8CUl5Jwo4e1HB

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Runs injected code in another process

Application was injected by another process

SUSPICIOUS

Connects to unusual port

Reads settings of System Certificates

INFO

Manual execution by a user

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

The process checks LSA protection

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings