File name:

Valex_Executor.zip

Full analysis: https://app.any.run/tasks/03f82619-e78d-4109-9ef0-7b7c4b0af0b9
Verdict: Malicious activity
Analysis date: June 14, 2025, 00:23:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-html
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BE07C03E4B7C97004B37B6813918112E

SHA1:

12E58A1A22F512EFC32C76A706A398B155451267

SHA256:

FE969C08599664C940F3131BA6B0D24D3A2D5C8CFE85F3D54CA1C3705A599139

SSDEEP:

196608:adpEgIX4Czr22IDZGCDvRNLxfPp8gwgrdkI+Ithy98FxM6N3:eElX1JIDZdDvf5h5RxkI+IthJFTN3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2460)

    • Executes application which crashes

      • Valex.exe (PID: 1936)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2460)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2460)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 2460)

    • The process executes via Task Scheduler

      • updater.exe (PID: 424)

    • Application launched itself

      • updater.exe (PID: 424)

  • INFO

    • Reads the computer name

      • Valex.exe (PID: 1936)
      • MpCmdRun.exe (PID: 1472)
      • updater.exe (PID: 424)

    • Disables trace logs

      • Valex.exe (PID: 1936)

    • Manual execution by a user

      • Valex.exe (PID: 1936)
      • Valex.exe (PID: 2140)
      • wscript.exe (PID: 2976)
      • wscript.exe (PID: 2716)
      • wscript.exe (PID: 5172)
      • wscript.exe (PID: 1160)
      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 728)
      • wscript.exe (PID: 5764)
      • wscript.exe (PID: 3924)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2460)

    • Checks proxy server information

      • Valex.exe (PID: 1936)
      • slui.exe (PID: 6160)
      • WerFault.exe (PID: 6292)

    • Checks supported languages

      • Valex.exe (PID: 1936)
      • MpCmdRun.exe (PID: 1472)
      • updater.exe (PID: 424)
      • updater.exe (PID: 1480)

    • Reads the software policy settings

      • Valex.exe (PID: 1936)
      • slui.exe (PID: 6160)
      • WerFault.exe (PID: 6292)

    • JScript runtime error (SCRIPT)

      • wscript.exe (PID: 2976)
      • wscript.exe (PID: 2716)
      • wscript.exe (PID: 5172)
      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 1160)
      • wscript.exe (PID: 728)
      • wscript.exe (PID: 3924)

    • Reads the machine GUID from the registry

      • Valex.exe (PID: 1936)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2460)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 424)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 1472)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:30 05:04:10
ZipCRC: 0x95751423
ZipCompressedSize: 38273
ZipUncompressedSize: 82024
ZipFileName: Microsoft.Web.WebView2.Wpf.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
19
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe valex.exe no specs valex.exe werfault.exe wscript.exe no specs svchost.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
728"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\editor.main.nls.ja.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\editor.main.nls.ko.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR2460.644"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1480"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Users\admin\Desktop\Valex.exe" C:\Users\admin\Desktop\Valex.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Nezur
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\valex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2140"C:\Users\admin\Desktop\Valex.exe" C:\Users\admin\Desktop\Valex.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Nezur
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\valex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2460"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Valex_Executor.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
18 198
Read events
18 158
Write events
37
Delete events
3

Modification events

(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Valex_Executor.zip
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2460) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
10
Suspicious files
5
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Valex.exe_8dda499ea48a389b34cd3e80094572fea6e1b93_4fa2a8d0_dc0aa8e4-49c0-41cd-b459-f289b9840b99\Report.wer
MD5:
SHA256:
6292WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Valex.exe.1936.dmp
MD5:
SHA256:
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:4413CECFC59CD9CC067D8E9609FFA9CF
SHA256:CDEA607D08DA5A048F3D38E431DFF1454E22F7B556456A8E1780B11091E6ECF7
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER78EA.tmp.WERInternalMetadata.xmlxml
MD5:5A50CBCE4B828BA6F68CD3406825E7E4
SHA256:05DC2B3C077FA5AA4A221C66415CF88E2EF1A84F00D27D5E5D7704102911B06A
1936Valex.exeC:\Windows\SysWOW64\scripts\komorebi.luatext
MD5:BB942121FE0B63F749EB6B46214C4886
SHA256:B571C0225C0781291DD4C89BF407B33D6DDE6DEE73856A4A0377AFC5DF22BDD6
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER77B0.tmp.dmpbinary
MD5:148D6E97992C4DAD6C292335BAC4FFBF
SHA256:B0F3226E72941D416A9A6121881201CC759984FBC92452D2E7113CF521ABC2E3
6292WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7929.tmp.xmlxml
MD5:8DFF1F6998107A3089408D7508F20238
SHA256:4AA404B49C860F422CF79C8200B6D072E8B96C7E065154FA31B2058A8C65E116
6292WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:8E881389B092C3E6DEAA558EB4C07A05
SHA256:1FBE6264D8C02BCC5594074A0C5B01B58F3781DB81C89B43C15814B2EBCD7C40
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Octokit.dllexecutable
MD5:2C2A65E9CF0776FA77600D5FE3B30783
SHA256:6A48642D6AE464B43A6CB50292618AF6C73ADA8D726644E50D4FA44A1783F638
2460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR2460.644\Valex_Executor.zip\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
39
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
whitelisted
2940
svchost.exe
GET
72.246.169.163:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3924
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6024
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1936
Valex.exe
104.26.0.5:443
keyauth.win
CLOUDFLARENET
US
malicious
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
keyauth.win
  • 104.26.0.5
  • 104.26.1.5
  • 172.67.72.57
malicious
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.0
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
1936
Valex.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Valex_Executor.zip