File name:

Valex_Executor.zip

Full analysis: https://app.any.run/tasks/03f82619-e78d-4109-9ef0-7b7c4b0af0b9
Verdict: Malicious activity
Analysis date: June 14, 2025, 00:23:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-html
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BE07C03E4B7C97004B37B6813918112E

SHA1:

12E58A1A22F512EFC32C76A706A398B155451267

SHA256:

FE969C08599664C940F3131BA6B0D24D3A2D5C8CFE85F3D54CA1C3705A599139

SSDEEP:

196608:adpEgIX4Czr22IDZGCDvRNLxfPp8gwgrdkI+Ithy98FxM6N3:eElX1JIDZdDvf5h5RxkI+IthJFTN3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2460)

    • Executes application which crashes

      • Valex.exe (PID: 1936)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2460)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2460)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 2460)

    • The process executes via Task Scheduler

      • updater.exe (PID: 424)

    • Application launched itself

      • updater.exe (PID: 424)

  • INFO

    • Checks supported languages

      • Valex.exe (PID: 1936)
      • MpCmdRun.exe (PID: 1472)
      • updater.exe (PID: 1480)
      • updater.exe (PID: 424)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2460)

    • Manual execution by a user

      • Valex.exe (PID: 2140)
      • Valex.exe (PID: 1936)
      • wscript.exe (PID: 2976)
      • wscript.exe (PID: 2716)
      • wscript.exe (PID: 3924)
      • wscript.exe (PID: 5764)
      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 1160)
      • wscript.exe (PID: 728)
      • wscript.exe (PID: 5172)

    • Reads the computer name

      • Valex.exe (PID: 1936)
      • MpCmdRun.exe (PID: 1472)
      • updater.exe (PID: 424)

    • Disables trace logs

      • Valex.exe (PID: 1936)

    • Checks proxy server information

      • Valex.exe (PID: 1936)
      • WerFault.exe (PID: 6292)
      • slui.exe (PID: 6160)

    • Reads the software policy settings

      • Valex.exe (PID: 1936)
      • WerFault.exe (PID: 6292)
      • slui.exe (PID: 6160)

    • Reads the machine GUID from the registry

      • Valex.exe (PID: 1936)

    • JScript runtime error (SCRIPT)

      • wscript.exe (PID: 2976)
      • wscript.exe (PID: 2716)
      • wscript.exe (PID: 3924)
      • wscript.exe (PID: 5172)
      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 728)
      • wscript.exe (PID: 1160)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6292)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 1472)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2460)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:30 05:04:10
ZipCRC: 0x95751423
ZipCompressedSize: 38273
ZipUncompressedSize: 82024
ZipFileName: Microsoft.Web.WebView2.Wpf.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
19
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe valex.exe no specs valex.exe werfault.exe wscript.exe no specs svchost.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
728"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\editor.main.nls.ja.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\editor.main.nls.ko.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR2460.644"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1480"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Users\admin\Desktop\Valex.exe" C:\Users\admin\Desktop\Valex.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Nezur
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\valex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2140"C:\Users\admin\Desktop\Valex.exe" C:\Users\admin\Desktop\Valex.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Nezur
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\valex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2460"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Valex_Executor.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
18 198
Read events
18 158
Write events
37
Delete events
3

Modification events

(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Valex_Executor.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
10
Suspicious files
5
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Valex.exe_8dda499ea48a389b34cd3e80094572fea6e1b93_4fa2a8d0_dc0aa8e4-49c0-41cd-b459-f289b9840b99\Report.wer
MD5:
SHA256:
6292WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Valex.exe.1936.dmp
MD5:
SHA256:
1936Valex.exeC:\Windows\SysWOW64\scripts\komorebi.luatext
MD5:BB942121FE0B63F749EB6B46214C4886
SHA256:B571C0225C0781291DD4C89BF407B33D6DDE6DEE73856A4A0377AFC5DF22BDD6
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Octokit.dllexecutable
MD5:2C2A65E9CF0776FA77600D5FE3B30783
SHA256:6A48642D6AE464B43A6CB50292618AF6C73ADA8D726644E50D4FA44A1783F638
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:4413CECFC59CD9CC067D8E9609FFA9CF
SHA256:CDEA607D08DA5A048F3D38E431DFF1454E22F7B556456A8E1780B11091E6ECF7
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\Monaco\Monaco.htmlhtml
MD5:6C54F348B6511858B8963C5F5BD836AC
SHA256:B5E998236CED3177E44A7A35B33892751D758275B5623CC050872BAB66A738C4
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\libz3.dllexecutable
MD5:B0097E1EA9D0E44EEE5B2D28681E57CA
SHA256:7DB664F4F0A1EB059D50327B338813CB5CFD2492F590846899E50DF533FA77FB
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\Monaco\vs\editor\editor.main.csstext
MD5:233217455A3EF3604BF4942024B94F98
SHA256:2EC118616A1370E7C37342DA85834CA1819400C28F83ABFCBBB1EF50B51F7701
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\Monaco\vs\editor\editor.main.nls.de.jstext
MD5:4D83BC1BCED6F773423BE6F939472CFE
SHA256:0DEE462D5FB231F169F6CBC432465A43FD445C011FE650E29F5FB2BCCC31EAAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
39
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
POST
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3924
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6024
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1936
Valex.exe
104.26.0.5:443
keyauth.win
CLOUDFLARENET
US
malicious
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
keyauth.win
  • 104.26.0.5
  • 104.26.1.5
  • 172.67.72.57
malicious
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.0
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
1936
Valex.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Valex_Executor.zip