File name:

update.exe

Full analysis: https://app.any.run/tasks/ae680cf8-da5a-4199-93ae-4e0df6b4f101
Verdict: Malicious activity
Analysis date: December 23, 2024, 11:44:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

2FEE3B9147B33B92FC778AFBCE496F2D

SHA1:

D2FC7C1D2ABCD8D1C2A3381DE41A4A6928B07631

SHA256:

259052FB3A2C7CD0FEBFBD92031A8DE112F8918BC5A90986AD70C1D563AF295A

SSDEEP:

196608:gldSkNBSMYIDXHgmEhccBeevxZ+fheUXihz+Z/og:6TSMYIDXHxEhpzoWa9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 624)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • uedit64.exe (PID: 5036)
      • update.exe (PID: 4520)
      • IDMUpdate.exe (PID: 6600)
      • update.exe (PID: 4024)
      • IDMUpdate.exe (PID: 6272)
      • IDMUpdate.exe (PID: 1348)

    • Reads Microsoft Outlook installation path

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • uedit64.exe (PID: 5036)
      • IDMUpdate.exe (PID: 6272)

    • Executes application which crashes

      • update.exe (PID: 6916)

    • Reads Internet Explorer settings

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • uedit64.exe (PID: 5036)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 624)

    • Creates file in the systems drive root

      • ues_ctags.exe (PID: 6728)
      • ues_ctags.exe (PID: 6492)

    • Creates/Modifies COM task schedule object

      • uedit64.exe (PID: 5036)

    • Reads the date of Windows installation

      • uedit64.exe (PID: 5036)

    • Checks Windows Trust Settings

      • update.exe (PID: 4520)
      • IDMUpdate.exe (PID: 6600)
      • update.exe (PID: 4024)

    • Executable content was dropped or overwritten

      • update.exe (PID: 4520)
      • update.exe (PID: 4024)

    • Adds/modifies Windows certificates

      • update.exe (PID: 4520)

    • Starts itself from another location

      • update.exe (PID: 4520)
      • update.exe (PID: 4024)
      • update.exe (PID: 6528)

  • INFO

    • Checks supported languages

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • uehh.exe (PID: 5304)
      • uehh.exe (PID: 6688)
      • ues_ctags.exe (PID: 2280)
      • uedit64.exe (PID: 5036)
      • update.exe (PID: 4520)
      • update.exe (PID: 4024)
      • IDMUpdate.exe (PID: 6272)
      • IDMUpdate.exe (PID: 1348)
      • uedit64.exe (PID: 6456)
      • IDMMonitor.exe (PID: 2456)

    • Process checks whether UAC notifications are on

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)

    • The sample compiled with english language support

      • update.exe (PID: 6916)
      • WinRAR.exe (PID: 624)
      • update.exe (PID: 4520)
      • update.exe (PID: 4024)

    • Reads the computer name

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • identity_helper.exe (PID: 1988)
      • uedit64.exe (PID: 5036)
      • update.exe (PID: 4520)
      • IDMUpdate.exe (PID: 6600)
      • update.exe (PID: 4024)
      • IDMUpdate.exe (PID: 6272)
      • IDMUpdate.exe (PID: 1348)

    • Reads the software policy settings

      • WerFault.exe (PID: 6504)
      • update.exe (PID: 4520)
      • IDMUpdate.exe (PID: 6600)

    • Checks proxy server information

      • WerFault.exe (PID: 6504)
      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • uedit64.exe (PID: 5036)
      • update.exe (PID: 4520)
      • IDMUpdate.exe (PID: 6600)
      • IDMUpdate.exe (PID: 1348)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6504)
      • uedit64.exe (PID: 5036)
      • update.exe (PID: 4520)
      • update.exe (PID: 4024)
      • UACHelper.exe (PID: 6620)
      • uedit64.exe (PID: 6456)

    • Reads security settings of Internet Explorer

      • WerFault.exe (PID: 6504)

    • Create files in a temporary directory

      • update.exe (PID: 6916)
      • update.exe (PID: 3080)
      • ues_ctags.exe (PID: 6728)
      • ues_ctags.exe (PID: 6492)
      • IDMUpdate.exe (PID: 6600)
      • update.exe (PID: 4520)
      • update.exe (PID: 4024)
      • IDMUpdate.exe (PID: 6272)
      • update.exe (PID: 6528)
      • IDMUpdate.exe (PID: 1348)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 624)
      • update.exe (PID: 3080)
      • uedit64.exe (PID: 5036)
      • IDMUpdate.exe (PID: 6600)
      • IDMUpdate.exe (PID: 6272)
      • IDMUpdate.exe (PID: 1348)

    • Manual execution by a user

      • WinRAR.exe (PID: 624)
      • update.exe (PID: 4076)
      • update.exe (PID: 3080)
      • xmllint.exe (PID: 6956)
      • msedge.exe (PID: 1412)
      • uehh.exe (PID: 5304)
      • UEDOS32.exe (PID: 6380)
      • uedit64.exe (PID: 5036)
      • uehh.exe (PID: 6688)
      • uedit64.com (PID: 3040)
      • UACHelper.exe (PID: 6620)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 624)
      • msedge.exe (PID: 556)

    • Application launched itself

      • msedge.exe (PID: 5092)
      • msedge.exe (PID: 4804)
      • msedge.exe (PID: 1412)

    • Reads Environment values

      • identity_helper.exe (PID: 1988)

    • Reads Microsoft Office registry keys

      • uedit64.exe (PID: 5036)

    • Creates files in the program directory

      • update.exe (PID: 4520)

    • Process checks computer location settings

      • uedit64.exe (PID: 5036)

    • Reads the machine GUID from the registry

      • update.exe (PID: 4520)
      • IDMUpdate.exe (PID: 6600)
      • update.exe (PID: 4024)
      • IDMUpdate.exe (PID: 1348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:22 20:21:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 4880896
InitializedDataSize: 2860544
UninitializedDataSize: -
EntryPoint: 0x3871f6
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.78
ProductVersionNumber: 2.0.0.78
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: IDM Computer Solutions, Inc.
FileDescription: IDM EasyUpdate
FileVersion: 2.0.0.78
InternalName: IDMEasyUpdate.exe
LegalCopyright: © IDM Computer Solutions, Inc. All rights reserved.
OriginalFileName: IDMEasyUpdate.exe
ProductName: IDM EasyUpdate
ProductVersion: 2.0.0.78
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
118
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start update.exe werfault.exe winrar.exe rundll32.exe no specs update.exe no specs update.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs xmllint.exe no specs conhost.exe no specs uehh.exe no specs uehh.exe no specs uedos32.exe no specs conhost.exe no specs uedit64.exe idmmonitor.exe no specs ues_ctags.exe no specs conhost.exe no specs ues_ctags.exe no specs conhost.exe no specs ues_ctags.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs update.exe idmupdate.exe update.exe msedge.exe no specs idmupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs update.exe idmupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs uachelper.exe conhost.exe no specs msedge.exe msedge.exe no specs uedit64.com no specs conhost.exe no specs uedit64.exe no specs idmmonitor.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs update.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeuedit64.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
244C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6940 --field-trial-handle=2352,i,2147863375350632972,4686506669252507225,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
556"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1512 --field-trial-handle=2352,i,2147863375350632972,4686506669252507225,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\UltraEdit.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
624"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=2392,i,8684283840044938739,12337280748143638951,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
748"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6920 --field-trial-handle=2352,i,2147863375350632972,4686506669252507225,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7240 --field-trial-handle=2352,i,2147863375350632972,4686506669252507225,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=price_comparison_service.mojom.DataProcessor --lang=en-US --service-sandbox-type=entity_extraction --no-appcompat-clear --mojo-platform-channel-handle=6912 --field-trial-handle=2352,i,2147863375350632972,4686506669252507225,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Users\admin\AppData\Roaming\IDMComp\Common\IDMUpdate.exe" -p UltraEdit -a 31.1.0.36 -c 28.00.0.66 -l english -u https://www.ultraedit.com/redirects/registration/en/ue_paid_upgrade.html -t --license-file=C:\Users\admin\AppData\Roaming\IDMComp\UltraEdit\license\uedit32_v.splC:\Users\admin\AppData\Roaming\IDMComp\Common\IDMUpdate.exe
update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\idmcomp\common\idmupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
41 141
Read events
40 980
Write events
154
Delete events
7

Modification events

(PID) Process:(6916) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6916) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6916) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6504) WerFault.exeKey:\REGISTRY\A\{6b2743a3-9d72-f230-9c0a-d632fe9ffad9}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(6504) WerFault.exeKey:\REGISTRY\A\{6b2743a3-9d72-f230-9c0a-d632fe9ffad9}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(6504) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
374D696700000000
(PID) Process:(6504) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
12AC130000000000
(PID) Process:(624) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(624) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(624) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
90
Suspicious files
1 104
Text files
721
Unknown types
16

Dropped files

PID
Process
Filename
Type
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\images\button-bg.pngimage
MD5:D92D853FA54564DF6778089FDDB3AA56
SHA256:67E2AF00B1FC5B2A2B9929E8E468CFA6E8E4F453FF5DD07F5B1B390DE5D4976C
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\style.csstext
MD5:4F76B47EEE1B297D660B3DB5A7D293B5
SHA256:DDDD8D234D15E7271E84A55EBF2A9957BB73427CEF15C0D31F90668EF049D237
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\images\settings.pngimage
MD5:634B5C6CE7953F7577BA9EF4D4053FBB
SHA256:AF9E37FA8FAEFF63E9F87898092EEC3415157C72B070BAFDF06A8A09508F1A4E
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\strings.jstext
MD5:3561AF29E060482AE94830FD66BFFC6A
SHA256:9A0B47CBBB6254E4BDAB1003E979E8B11A4150E1BBA7A03302A3006D363AE218
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\images\update-icon.pngimage
MD5:BAF18D847BF3A2D2A9087C85C2458D33
SHA256:ED6856D81A7F94C269D073A2F011F578AC80896EA1BF337D79B2AEDF7A5E26F3
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\translations\es\iaa.mobinary
MD5:FA973FDD35E2DA2AB823B30AC8DA7310
SHA256:50A8D7EF3F9DCB58128CC9BC34618AC37CB8C3C5F60722DF58796F24EAC2259F
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\images\check.pngimage
MD5:50508794E31AB5E010F51AF43E009446
SHA256:D4FE3A1FB311517841553C651EA89108230C94FFCE85EF52FF4C71C3F6124985
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\images\clock.pngimage
MD5:AAC076ED8DCA90A611E0608821234172
SHA256:8774E8AA6C576E5F786CBE85DEDA657698957F0B9CCFB9FF6C6C8A3F66C58FEB
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\translations\it\iaa.mogmo
MD5:0B6857F0664A79195E68DD0A1B311305
SHA256:69D863FF4658D9CBCBBA501B80C2173C5C9D039FDF7161B3644AF45F3F1C3AE1
6916update.exeC:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\ui\arrange.jstext
MD5:7EC937A7D2C670BA7BF69C987A09F8B3
SHA256:B03F5802718EF7AE9EEAE73B26929E2C7FAE9117E4768436BE90F63377054C7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
175
DNS requests
219
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1380
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1380
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6532
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6868
msedge.exe
GET
304
69.192.161.44:80
http://x1.i.lencr.org/
unknown
whitelisted
5880
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4520
update.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1380
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1380
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 23.53.40.178
  • 23.53.40.176
whitelisted
google.com
  • 142.250.185.110
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.160
  • 2.23.209.179
  • 2.23.209.161
  • 2.23.209.182
  • 2.23.209.181
  • 2.23.209.156
  • 2.23.209.158
  • 2.23.209.177
  • 2.23.209.193
  • 2.23.209.183
  • 2.23.209.187
  • 2.23.209.185
  • 2.23.209.189
  • 104.126.37.185
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.178
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.153
  • 104.126.37.155
  • 104.126.37.154
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.128
  • 104.126.37.160
  • 104.126.37.152
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 184.28.89.167
  • 23.35.238.131
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
arc.msn.com
  • 20.31.169.57
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
6868
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6868
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
6868
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
6868
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7088
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)
7088
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
update.exe