File name:

updater.exe

Full analysis: https://app.any.run/tasks/aa3150c3-977b-4eec-8b42-2f5e79278ab9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 27, 2025, 20:13:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 9 sections
MD5:

07CC878538366D9DDB251109BF9D8FEE

SHA1:

1336E6E96AE094B25B8B6973D619B5F29FB89A49

SHA256:

170FD4117643A03D739AA35743727E48DCB783A20AD903D38A4EFE6D95E5288C

SSDEEP:

98304:KsG81M+9XXXXXX36EIb1nIbxXwojDLPzZdFr0odwOprMBnRY0V0r7zd+7zMktLzA:iP+UDPKRz90etglE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • updater.exe (PID: 7588)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • updater.exe (PID: 7588)

    • Executable content was dropped or overwritten

      • updater.exe (PID: 7588)

  • INFO

    • Checks supported languages

      • updater.exe (PID: 7588)

    • Reads the computer name

      • updater.exe (PID: 7588)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 7588)

    • Checks proxy server information

      • updater.exe (PID: 7588)
      • slui.exe (PID: 4164)

    • Reads the software policy settings

      • updater.exe (PID: 7588)
      • slui.exe (PID: 4164)

    • Creates files or folders in the user directory

      • updater.exe (PID: 7588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7588) updater.exe
Decrypted-URLs (2)https://files.mrs
https://files.mfghijklmnopqrstunormal/kernel.ex(@
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:10:22 19:34:22+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.5
CodeSize: 34304
InitializedDataSize: 22528
UninitializedDataSize: -
EntryPoint: 0xf589ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL updater.exe conhost.exe no specs slui.exe updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7432"C:\Users\admin\Desktop\updater.exe" C:\Users\admin\Desktop\updater.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\updater.exe
c:\windows\system32\ntdll.dll
7588"C:\Users\admin\Desktop\updater.exe" C:\Users\admin\Desktop\updater.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\wininet.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcrt.dll
xor-url
(PID) Process(7588) updater.exe
Decrypted-URLs (2)https://files.mrs
https://files.mfghijklmnopqrstunormal/kernel.ex(@
7600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeupdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 014
Read events
7 011
Write events
3
Delete events
0

Modification events

(PID) Process:(7588) updater.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7588) updater.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7588) updater.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7588updater.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\usermode[1].exeexecutable
MD5:EB1F70F18B096502285B1FEE4CEAEBC1
SHA256:9EBC47E37FDED01DEA44836320438FAFB409B567E11521ED0F94F51D4F22661D
7588updater.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\usermode[1].exeexecutable
MD5:EB1F70F18B096502285B1FEE4CEAEBC1
SHA256:9EBC47E37FDED01DEA44836320438FAFB409B567E11521ED0F94F51D4F22661D
7588updater.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\version[1].txttext
MD5:C64FDE90A0818F1BF77DF8ADBC5EA8DB
SHA256:8A1BB853D14D442BA930767EC23A1766A066A67E1D1379382FFCAE666F37105D
7588updater.exeC:\Users\admin\Desktop\usermode\app.exe.tmpexecutable
MD5:EB1F70F18B096502285B1FEE4CEAEBC1
SHA256:9EBC47E37FDED01DEA44836320438FAFB409B567E11521ED0F94F51D4F22661D
7588updater.exeC:\Users\admin\Desktop\usermode\app.exeexecutable
MD5:EB1F70F18B096502285B1FEE4CEAEBC1
SHA256:9EBC47E37FDED01DEA44836320438FAFB409B567E11521ED0F94F51D4F22661D
7588updater.exeC:\Users\admin\Desktop\app.exeexecutable
MD5:28360068D12DD68749B6F3641C0BB9B5
SHA256:9ECD2EFFCC4D329676791ED67356E78F99055F83588323DDDBB14E95BBDAED90
7588updater.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\kernel[1].exeexecutable
MD5:28360068D12DD68749B6F3641C0BB9B5
SHA256:9ECD2EFFCC4D329676791ED67356E78F99055F83588323DDDBB14E95BBDAED90
7588updater.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\kernel[1].exeexecutable
MD5:28360068D12DD68749B6F3641C0BB9B5
SHA256:9ECD2EFFCC4D329676791ED67356E78F99055F83588323DDDBB14E95BBDAED90
7588updater.exeC:\Users\admin\Desktop\app.exe.tmpexecutable
MD5:28360068D12DD68749B6F3641C0BB9B5
SHA256:9ECD2EFFCC4D329676791ED67356E78F99055F83588323DDDBB14E95BBDAED90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
43
DNS requests
15
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5956
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
GET
200
172.67.145.227:443
https://files.matcha-latte.win/normal/version.txt?t=1761596045
unknown
text
27 b
GET
200
172.67.145.227:443
https://files.matcha-latte.win/normal/usermode.exe?t=1761596046
unknown
executable
16.2 Mb
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
29.1 Kb
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
8068
SIHClient.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
8068
SIHClient.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
8068
SIHClient.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8068
SIHClient.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
5956
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7012
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5596
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5956
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5596
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3440
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2956
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7588
updater.exe
172.67.145.227:443
files.matcha-latte.win
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.128
  • 20.190.160.4
  • 20.190.160.17
  • 40.126.32.136
  • 20.190.160.67
  • 40.126.32.133
  • 20.190.160.3
  • 20.190.160.132
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
files.matcha-latte.win
  • 172.67.145.227
  • 104.21.28.114
unknown
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
www.microsoft.com
  • 104.79.89.142
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.185.43
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
Misc activity
ET INFO Observed UA-CPU Header
Misc activity
ET INFO EXE - Served Attached HTTP
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
Misc activity
ET INFO Observed UA-CPU Header
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
updater.exe