File name:

Valex_Executor.zip

Full analysis: https://app.any.run/tasks/03f82619-e78d-4109-9ef0-7b7c4b0af0b9
Verdict: Malicious activity
Analysis date: June 14, 2025, 00:23:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-html
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BE07C03E4B7C97004B37B6813918112E

SHA1:

12E58A1A22F512EFC32C76A706A398B155451267

SHA256:

FE969C08599664C940F3131BA6B0D24D3A2D5C8CFE85F3D54CA1C3705A599139

SSDEEP:

196608:adpEgIX4Czr22IDZGCDvRNLxfPp8gwgrdkI+Ithy98FxM6N3:eElX1JIDZdDvf5h5RxkI+IthJFTN3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2460)

    • Executes application which crashes

      • Valex.exe (PID: 1936)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2460)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2460)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 2460)

    • Application launched itself

      • updater.exe (PID: 424)

    • The process executes via Task Scheduler

      • updater.exe (PID: 424)

  • INFO

    • Manual execution by a user

      • Valex.exe (PID: 2140)
      • Valex.exe (PID: 1936)
      • wscript.exe (PID: 2976)
      • wscript.exe (PID: 2716)
      • wscript.exe (PID: 3924)
      • wscript.exe (PID: 5172)
      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 1160)
      • wscript.exe (PID: 728)
      • wscript.exe (PID: 5764)

    • Checks supported languages

      • Valex.exe (PID: 1936)
      • MpCmdRun.exe (PID: 1472)
      • updater.exe (PID: 1480)
      • updater.exe (PID: 424)

    • Reads the computer name

      • Valex.exe (PID: 1936)
      • MpCmdRun.exe (PID: 1472)
      • updater.exe (PID: 424)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2460)

    • Disables trace logs

      • Valex.exe (PID: 1936)

    • Checks proxy server information

      • Valex.exe (PID: 1936)
      • WerFault.exe (PID: 6292)
      • slui.exe (PID: 6160)

    • Reads the machine GUID from the registry

      • Valex.exe (PID: 1936)

    • Reads the software policy settings

      • Valex.exe (PID: 1936)
      • WerFault.exe (PID: 6292)
      • slui.exe (PID: 6160)

    • JScript runtime error (SCRIPT)

      • wscript.exe (PID: 2976)
      • wscript.exe (PID: 2716)
      • wscript.exe (PID: 3924)
      • wscript.exe (PID: 5172)
      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 1160)
      • wscript.exe (PID: 728)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6292)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2460)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 1472)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:30 05:04:10
ZipCRC: 0x95751423
ZipCompressedSize: 38273
ZipUncompressedSize: 82024
ZipFileName: Microsoft.Web.WebView2.Wpf.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
19
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe valex.exe no specs valex.exe werfault.exe wscript.exe no specs svchost.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
728"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\editor.main.nls.ja.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\editor.main.nls.ko.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR2460.644"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1480"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Users\admin\Desktop\Valex.exe" C:\Users\admin\Desktop\Valex.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Nezur
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\valex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2140"C:\Users\admin\Desktop\Valex.exe" C:\Users\admin\Desktop\Valex.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Nezur
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\valex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2460"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Valex_Executor.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
18 198
Read events
18 158
Write events
37
Delete events
3

Modification events

(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Valex_Executor.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
10
Suspicious files
5
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Valex.exe_8dda499ea48a389b34cd3e80094572fea6e1b93_4fa2a8d0_dc0aa8e4-49c0-41cd-b459-f289b9840b99\Report.wer
MD5:
SHA256:
6292WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Valex.exe.1936.dmp
MD5:
SHA256:
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7929.tmp.xmlxml
MD5:8DFF1F6998107A3089408D7508F20238
SHA256:4AA404B49C860F422CF79C8200B6D072E8B96C7E065154FA31B2058A8C65E116
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Valex.exeexecutable
MD5:452D917F90185A169A4B201B3905E6F5
SHA256:77C0F2D523D0363E3FBE1A5DD5F5126A5192DF389A9E578FF30F1BBF81F52A31
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Octokit.dllexecutable
MD5:2C2A65E9CF0776FA77600D5FE3B30783
SHA256:6A48642D6AE464B43A6CB50292618AF6C73ADA8D726644E50D4FA44A1783F638
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\libz3.dllexecutable
MD5:B0097E1EA9D0E44EEE5B2D28681E57CA
SHA256:7DB664F4F0A1EB059D50327B338813CB5CFD2492F590846899E50DF533FA77FB
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\Monaco\vs\basic-languages\lua\lua.jsbinary
MD5:8706D861294E09A1F2F7E63D19E5FCB7
SHA256:FC2D6FB52A524A56CD8AC53BFE4BAD733F246E76DC73CBEC4C61BE32D282AC42
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\Monaco\vs\editor\editor.main.csstext
MD5:233217455A3EF3604BF4942024B94F98
SHA256:2EC118616A1370E7C37342DA85834CA1819400C28F83ABFCBBB1EF50B51F7701
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\bin\Monaco\vs\editor\editor.main.nls.es.jstext
MD5:B371235F971BAA51F58F123F40C4435A
SHA256:203FF3591E02EB7B55A591E53919CC337F8DEA73E6446FC3493227761C0794BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
39
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
POST
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3924
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6024
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1936
Valex.exe
104.26.0.5:443
keyauth.win
CLOUDFLARENET
US
malicious
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
keyauth.win
  • 104.26.0.5
  • 104.26.1.5
  • 172.67.72.57
malicious
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.0
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Valex_Executor.zip