Upon extraction, the archive typically reveals three primary files designed to work in tandem:

If you are analyzing this on a system, look for these indicators of compromise (IOCs):

: Because the process ( wtvlvr.exe ) is a trusted, signed binary, many AV/EDR solutions may not immediately flag the malicious activity occurring within its memory. Payload Behavior

: Archives or folders located in %APPDATA% or %TEMP% .