File name:

dism_9kD-Ik1.bin

Full analysis: https://app.any.run/tasks/b66195db-a8cd-412b-ae7c-8ee474b73fdc
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 31, 2024, 02:55:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
adware
innosetup
stealer
netreactor
miner
metastealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4CEF35CB56164E4427C8890CF5CDFD85

SHA1:

242815E66819F32D46C37A57ED707030F57CA2C2

SHA256:

564B8E327A13C948CEA21587245B7B0005F786EA57F62BD602EF4ECEC66171C6

SSDEEP:

98304:b+cD4dno/Kiy69v/P4IzQ0eHJIsm/SK2gyGGnWfA/3nWAs1XnY/QI5QHpsisd:Uz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • dism_9kD-Ik1.bin.exe (PID: 6340)
      • dism_9kD-Ik1.bin.exe (PID: 888)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • 0xvqns5k.exe (PID: 4580)
      • UnifiedStub-installer.exe (PID: 4984)

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 4984)
      • rsEngineSvc.exe (PID: 6484)

    • INNOSETUP has been detected (SURICATA)

      • dism_9kD-Ik1.bin.tmp (PID: 2300)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 6372)

    • METASTEALER has been detected (YARA)

      • rsAppUI.exe (PID: 7616)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • dism_9kD-Ik1.bin.tmp (PID: 6940)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsWSC.exe (PID: 7404)
      • rsEngineSvc.exe (PID: 7460)
      • rsEDRSvc.exe (PID: 4212)
      • rsEngineSvc.exe (PID: 6484)

    • Executable content was dropped or overwritten

      • dism_9kD-Ik1.bin.exe (PID: 6340)
      • dism_9kD-Ik1.bin.exe (PID: 888)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • 0xvqns5k.exe (PID: 4580)
      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)

    • Reads the date of Windows installation

      • dism_9kD-Ik1.bin.tmp (PID: 6940)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • rsEDRSvc.exe (PID: 7260)
      • rsEngineSvc.exe (PID: 6484)

    • Reads the Windows owner or organization settings

      • dism_9kD-Ik1.bin.tmp (PID: 2300)

    • Process drops legitimate windows executable

      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • 0xvqns5k.exe (PID: 4580)
      • UnifiedStub-installer.exe (PID: 4984)
      • WinRAR.exe (PID: 6916)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 4984)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 4984)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 8120)
      • rsWSC.exe (PID: 6176)
      • rsEngineSvc.exe (PID: 6484)
      • rsClientSvc.exe (PID: 7536)
      • rsEDRSvc.exe (PID: 7260)
      • WmiApSrv.exe (PID: 1772)
      • rsVPNClientSvc.exe (PID: 1976)
      • rsVPNSvc.exe (PID: 5800)
      • WmiApSrv.exe (PID: 3888)
      • rsDNSSvc.exe (PID: 8824)
      • WmiApSrv.exe (PID: 9112)
      • rsDNSClientSvc.exe (PID: 5336)
      • rsDNSResolver.exe (PID: 8604)

    • Executes application which crashes

      • dism_9kD-Ik1.bin.tmp (PID: 2300)

    • Access to an unwanted program domain was detected

      • dism_9kD-Ik1.bin.tmp (PID: 2300)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 4984)
      • rundll32.exe (PID: 6372)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 4984)
      • rsWSC.exe (PID: 7404)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 4984)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 4984)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 4984)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 4984)
      • WinRAR.exe (PID: 6916)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 4984)

    • Checks Windows Trust Settings

      • UnifiedStub-installer.exe (PID: 4984)
      • rsWSC.exe (PID: 7404)
      • rsEngineSvc.exe (PID: 7460)
      • rsEDRSvc.exe (PID: 4212)
      • rsWSC.exe (PID: 6176)
      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 7260)

    • The process creates files with name similar to system file names

      • UnifiedStub-installer.exe (PID: 4984)
      • WinRAR.exe (PID: 6916)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 4984)

    • Dropped object may contain URLs of mainers pools

      • rsEngineSvc.exe (PID: 6484)

    • Reads the BIOS version

      • rsEDRSvc.exe (PID: 7260)
      • rsEngineSvc.exe (PID: 6484)

    • The process checks if it is being run in the virtual environment

      • rsEngineSvc.exe (PID: 6484)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 7260)

    • Application launched itself

      • rsAppUI.exe (PID: 7616)
      • rsAppUI.exe (PID: 8044)
      • rsAppUI.exe (PID: 8996)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 8876)
      • cmd.exe (PID: 8360)

    • There is functionality for taking screenshot (YARA)

      • rsVPNSvc.exe (PID: 5800)

    • Starts CMD.EXE for commands execution

      • rsDNSSvc.exe (PID: 8824)

  • INFO

    • Create files in a temporary directory

      • dism_9kD-Ik1.bin.exe (PID: 6340)
      • dism_9kD-Ik1.bin.exe (PID: 888)
      • prod0.exe (PID: 6764)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • 0xvqns5k.exe (PID: 4580)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsAppUI.exe (PID: 7616)

    • Checks supported languages

      • dism_9kD-Ik1.bin.exe (PID: 6340)
      • dism_9kD-Ik1.bin.tmp (PID: 6940)
      • dism_9kD-Ik1.bin.exe (PID: 888)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • 0xvqns5k.exe (PID: 4580)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsSyncSvc.exe (PID: 8028)
      • rsSyncSvc.exe (PID: 8120)
      • identity_helper.exe (PID: 8080)
      • identity_helper.exe (PID: 7924)
      • rsWSC.exe (PID: 6176)
      • rsWSC.exe (PID: 7404)
      • rsClientSvc.exe (PID: 2192)
      • rsClientSvc.exe (PID: 7536)
      • rsEngineSvc.exe (PID: 6484)
      • rsEngineSvc.exe (PID: 7460)
      • rsHelper.exe (PID: 2548)
      • rsEDRSvc.exe (PID: 7260)
      • rsEDRSvc.exe (PID: 4212)
      • EPP.exe (PID: 7224)
      • rsAppUI.exe (PID: 7616)
      • rsAppUI.exe (PID: 7424)
      • rsAppUI.exe (PID: 3392)
      • rsAppUI.exe (PID: 7480)
      • rsAppUI.exe (PID: 6736)
      • rsLitmus.A.exe (PID: 5396)

    • Reads the computer name

      • dism_9kD-Ik1.bin.tmp (PID: 6940)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsSyncSvc.exe (PID: 8028)
      • rsSyncSvc.exe (PID: 8120)
      • identity_helper.exe (PID: 8080)
      • identity_helper.exe (PID: 7924)
      • rsWSC.exe (PID: 6176)
      • rsWSC.exe (PID: 7404)
      • rsClientSvc.exe (PID: 2192)
      • rsClientSvc.exe (PID: 7536)
      • rsEngineSvc.exe (PID: 7460)
      • rsEngineSvc.exe (PID: 6484)
      • rsHelper.exe (PID: 2548)
      • rsEDRSvc.exe (PID: 4212)
      • rsEDRSvc.exe (PID: 7260)
      • rsAppUI.exe (PID: 7424)
      • rsAppUI.exe (PID: 3392)
      • rsAppUI.exe (PID: 7616)

    • Process checks computer location settings

      • dism_9kD-Ik1.bin.tmp (PID: 6940)
      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • rsAppUI.exe (PID: 7480)
      • rsAppUI.exe (PID: 6736)
      • rsAppUI.exe (PID: 7616)

    • Reads the machine GUID from the registry

      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsWSC.exe (PID: 6176)
      • rsWSC.exe (PID: 7404)
      • rsEngineSvc.exe (PID: 7460)
      • rsEngineSvc.exe (PID: 6484)
      • rsHelper.exe (PID: 2548)
      • rsEDRSvc.exe (PID: 4212)
      • rsEDRSvc.exe (PID: 7260)
      • rsAppUI.exe (PID: 7616)

    • Disables trace logs

      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 7260)

    • Reads Environment values

      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • identity_helper.exe (PID: 8080)
      • identity_helper.exe (PID: 7924)
      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 7260)
      • rsAppUI.exe (PID: 7616)

    • Reads the software policy settings

      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • WerFault.exe (PID: 6328)
      • WerFault.exe (PID: 7240)
      • slui.exe (PID: 4936)
      • rsWSC.exe (PID: 7404)
      • rsEngineSvc.exe (PID: 7460)
      • rsWSC.exe (PID: 6176)
      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 4212)
      • rsEDRSvc.exe (PID: 7260)

    • Checks proxy server information

      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • prod0.exe (PID: 6764)
      • UnifiedStub-installer.exe (PID: 4984)
      • WerFault.exe (PID: 6328)
      • WerFault.exe (PID: 7240)
      • slui.exe (PID: 4936)
      • rsWSC.exe (PID: 7404)
      • rsAppUI.exe (PID: 7616)

    • Application launched itself

      • msedge.exe (PID: 5696)
      • msedge.exe (PID: 1000)
      • msedge.exe (PID: 4940)

    • Reads Microsoft Office registry keys

      • dism_9kD-Ik1.bin.tmp (PID: 2300)
      • msedge.exe (PID: 1000)
      • msedge.exe (PID: 5696)
      • msedge.exe (PID: 4940)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 4984)
      • rsWSC.exe (PID: 7404)
      • rsEngineSvc.exe (PID: 7460)
      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 4212)
      • rsEDRSvc.exe (PID: 7260)

    • Manual execution by a user

      • msedge.exe (PID: 1000)
      • Dism++x64.exe (PID: 9212)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7240)
      • WerFault.exe (PID: 6328)
      • UnifiedStub-installer.exe (PID: 4984)
      • rsWSC.exe (PID: 7404)
      • rsEngineSvc.exe (PID: 6484)
      • rsAppUI.exe (PID: 7616)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 4984)
      • rsEngineSvc.exe (PID: 6484)
      • rsHelper.exe (PID: 2548)
      • rsEDRSvc.exe (PID: 7260)
      • rsVPNSvc.exe (PID: 5800)
      • rsAppUI.exe (PID: 7616)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 456)

    • Reads the time zone

      • runonce.exe (PID: 456)
      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 7260)

    • Reads CPU info

      • rsEngineSvc.exe (PID: 6484)
      • rsEDRSvc.exe (PID: 7260)

    • Reads product name

      • rsEDRSvc.exe (PID: 7260)
      • rsAppUI.exe (PID: 7616)
      • rsEngineSvc.exe (PID: 6484)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6916)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.2.174.2916
ProductVersionNumber: 2.2.174.2916
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription:
FileVersion: 2.2.174.2916
LegalCopyright:
OriginalFileName:
ProductName:
ProductVersion: 2.2.174.2916
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
301
Monitored processes
148
Malicious processes
13
Suspicious processes
3

Behavior graph

Click at the process to see the details
start dism_9kd-ik1.bin.exe dism_9kd-ik1.bin.tmp no specs dism_9kd-ik1.bin.exe #INNOSETUP dism_9kd-ik1.bin.tmp slui.exe prod0.exe 0xvqns5k.exe THREAT unifiedstub-installer.exe winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs THREAT rsenginesvc.exe THREAT rshelper.exe no specs rsedrsvc.exe no specs THREAT rsedrsvc.exe msedge.exe no specs epp.exe no specs THREAT rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rslitmus.a.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs rsvpnclientsvc.exe no specs conhost.exe no specs rsvpnclientsvc.exe no specs rsvpnsvc.exe no specs THREAT rsvpnsvc.exe no specs msedge.exe no specs vpn.exe no specs rsappui.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs runonce.exe no specs grpconv.exe no specs rsdnsclientsvc.exe no specs conhost.exe no specs rsdnsclientsvc.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs msedge.exe no specs rsdnssvc.exe no specs rsdnssvc.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs dns.exe no specs rsappui.exe no specs wmiapsrv.exe no specs msedge.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs dism++x64.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dism++x86.exe no specs dism++x64.exe no specs msedge.exe no specs msedge.exe no specs rsappui.exe no specs rsappui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256ipconfig /flushdnsC:\Windows\System32\ipconfig.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
456"C:\WINDOWS\system32\runonce.exe" -rC:\Windows\System32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
504"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5140 --field-trial-handle=2336,i,12529788587044987969,8548517133415311312,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
504"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=2336,i,12529788587044987969,8548517133415311312,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
528"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6572 --field-trial-handle=2336,i,12529788587044987969,8548517133415311312,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
756"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2828 --field-trial-handle=2288,i,4014462057259370540,8670547196092016257,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exersAppUI.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
MEDIUM
Description:
ReasonLabs Application
Exit code:
0
Version:
1.4.2
812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exersClientSvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888"C:\Users\admin\Desktop\dism_9kD-Ik1.bin.exe" /SPAWNWND=$D03C2 /NOTIFYWND=$2C0052 C:\Users\admin\Desktop\dism_9kD-Ik1.bin.exe
dism_9kD-Ik1.bin.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
3221226525
Version:
2.2.174.2916
Modules
Images
c:\users\admin\desktop\dism_9kd-ik1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1000"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument https://kr.download.it/?typ=1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2504 --field-trial-handle=2512,i,11001503210604838633,354415380166667528,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
87 505
Read events
87 117
Write events
317
Delete events
71

Modification events

(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
FC0800005E50DF24F5E2DA01
(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
3D07957B3059CE4F61B792609E78A7BCFC2AF146EBF9C89CB23FCBDB68D20560
(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2300) dism_9kD-Ik1.bin.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6764) prod0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6764) prod0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6764) prod0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
913
Suspicious files
665
Text files
253
Unknown types
82

Dropped files

PID
Process
Filename
Type
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\is-CNPDD.tmpimage
MD5:EB49CBD36D07CD5768271767269131F2
SHA256:A2825968B1C18604E678123FED0CCB6011D3CA0B6AB015E0DD84BA5D9F9F447A
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\Helper.dllexecutable
MD5:4EB0347E66FA465F602E52C03E5C0B4B
SHA256:C73E53CBB7B98FEAFE27CC7DE8FDAD51DF438E2235E91891461C5123888F73CC
45800xvqns5k.exeC:\Users\admin\AppData\Local\Temp\7zS4E1EBA1C\ARM64\Reason.ArchiveUtility-ARM64.dllexecutable
MD5:084B3EBB27DA692C90CCC83A765E8B2E
SHA256:DBB2C00B06B818D5DA88954EDDD9C7B8911A748B1E8C853B9DA7FAAACDBE536D
888dism_9kD-Ik1.bin.exeC:\Users\admin\AppData\Local\Temp\is-I9UKR.tmp\dism_9kD-Ik1.bin.tmpexecutable
MD5:02B1D8FF84BCD4EBCB01156636269B99
SHA256:A6497DDDDD577CAEFE5A39958A604F9EE4BFE93E9DA285B147BA6FC6788E75CA
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\RAV_Cross.pngimage
MD5:CD09F361286D1AD2622BA8A57B7613BD
SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\error.pngimage
MD5:3E0EF82A84C2729BB4DFD1D2C6559661
SHA256:F61146882B17147067AEBDF4594C6CBAF93E1891500623567ED404F5FFCF94C2
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\mainlogo.pngimage
MD5:EB49CBD36D07CD5768271767269131F2
SHA256:A2825968B1C18604E678123FED0CCB6011D3CA0B6AB015E0DD84BA5D9F9F447A
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\is-BIAUL.tmpimage
MD5:CD09F361286D1AD2622BA8A57B7613BD
SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
2300dism_9kD-Ik1.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TH09J.tmp\is-POEC7.tmpcompressed
MD5:86D3F8A73A01FBB6BB985DC9A939FE15
SHA256:9149F635096571CD67A82A2EFA113C819B8B9005E4F29D6F0D6EB26BB15ED41C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
91
TCP/UDP connections
257
DNS requests
180
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
US
binary
471 b
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
5804
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
2300
dism_9kD-Ik1.bin.tmp
GET
200
95.168.168.24:80
http://dl.jalecdn.com/KR/dism.zip
NL
compressed
3.51 Mb
unknown
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
4984
UnifiedStub-installer.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D
US
binary
2.60 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2472
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
unknown
6716
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6044
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3336
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.128
  • 104.126.37.176
  • 104.126.37.153
  • 104.126.37.161
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.146
  • 104.126.37.139
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.129
  • 104.126.37.123
whitelisted
google.com
  • 216.58.212.174
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.133
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2300
dism_9kD-Ik1.bin.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dism_9kD-Ik1.bin