File name:

install.exe

Full analysis: https://app.any.run/tasks/3df5bc54-d8a4-467b-981b-69ae1101e8a2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 30, 2024, 23:06:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
expiro
m0yv
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

A9E407DB02368988B5927D038A68E06C

SHA1:

32A2AEB42E7CA942AEF62861A1F3F6AD005D6C89

SHA256:

80406D91BBC0906163805815B33CF96104537D24B51EE47D586ECFFC187742B2

SSDEEP:

98304:U15TA2EMEKzWwWzcy+KV6cV+DgJAbAOSHi7Yf9J5gplGDbr8y3KsnLPGvCgbQirK:ywHbl68Jx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • install.exe (PID: 1788)
      • armsvc.exe (PID: 4584)
      • FlashPlayerUpdateService.exe (PID: 7080)
      • alg.exe (PID: 7100)
      • AppVClient.exe (PID: 3728)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5592)
      • MicrosoftEdgeUpdate.exe (PID: 3648)
      • MicrosoftEdgeUpdate.exe (PID: 948)
      • MicrosoftEdgeUpdate.exe (PID: 6776)
      • FXSSVC.exe (PID: 5004)
      • GameInputSvc.exe (PID: 2928)
      • GameInputSvc.exe (PID: 7148)
      • elevation_service.exe (PID: 1784)
      • GoogleUpdate.exe (PID: 6396)
      • MicrosoftEdgeUpdate.exe (PID: 6888)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • GoogleUpdate.exe (PID: 6320)
      • elevation_service.exe (PID: 6584)
      • maintenanceservice.exe (PID: 2648)
      • GoogleUpdate.exe (PID: 2632)
      • msdtc.exe (PID: 6128)
      • PerceptionSimulationService.exe (PID: 4476)
      • GoogleUpdate.exe (PID: 3620)

    • M0YV has been detected (YARA)

      • alg.exe (PID: 7100)
      • install.exe (PID: 1788)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5592)
      • armsvc.exe (PID: 4584)
      • MicrosoftEdgeUpdate.exe (PID: 3648)
      • GameInputSvc.exe (PID: 2928)

    • EXPIRO has been detected (SURICATA)

      • install.exe (PID: 1788)

    • Connects to the CnC server

      • install.exe (PID: 1788)

    • Expiro has been found (SURICATA)

      • install.exe (PID: 1788)

  • SUSPICIOUS

    • Executes as Windows Service

      • armsvc.exe (PID: 4584)
      • FlashPlayerUpdateService.exe (PID: 7080)
      • alg.exe (PID: 7100)
      • AppVClient.exe (PID: 3728)
      • MicrosoftEdgeUpdate.exe (PID: 948)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5592)
      • FXSSVC.exe (PID: 5004)
      • GoogleUpdate.exe (PID: 6396)
      • GameInputSvc.exe (PID: 2928)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • msdtc.exe (PID: 6128)
      • maintenanceservice.exe (PID: 2648)
      • PerceptionSimulationService.exe (PID: 4476)
      • perfhost.exe (PID: 2360)
      • PSEXESVC.exe (PID: 6232)
      • SensorDataService.exe (PID: 7180)
      • snmptrap.exe (PID: 7324)
      • TieringEngineService.exe (PID: 7520)
      • wbengine.exe (PID: 7836)
      • Locator.exe (PID: 6516)
      • ssh-agent.exe (PID: 7456)
      • Spectrum.exe (PID: 7388)
      • vds.exe (PID: 7700)
      • AgentService.exe (PID: 7648)
      • VSSVC.exe (PID: 7768)
      • WmiApSrv.exe (PID: 7924)
      • GoogleUpdate.exe (PID: 8248)
      • updater.exe (PID: 8900)
      • updater.exe (PID: 5920)
      • updater.exe (PID: 6416)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 948)
      • MicrosoftEdgeUpdate.exe (PID: 3648)
      • GameInputSvc.exe (PID: 2928)
      • GoogleUpdate.exe (PID: 6396)
      • GoogleUpdate.exe (PID: 6320)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • updater.exe (PID: 8656)
      • GoogleUpdate.exe (PID: 8248)
      • setup.exe (PID: 8292)
      • updater.exe (PID: 8900)
      • updater.exe (PID: 5920)
      • updater.exe (PID: 6244)
      • updater.exe (PID: 6416)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5792)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4836)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7132)
      • MicrosoftEdgeUpdate.exe (PID: 6776)

    • Executable content was dropped or overwritten

      • install.exe (PID: 1788)
      • svchost.exe (PID: 6484)
      • updater.exe (PID: 8656)
      • GoogleUpdate.exe (PID: 8248)
      • armsvc.exe (PID: 4584)
      • updater.exe (PID: 5920)
      • MicrosoftEdge_X64_130.0.2849.56.exe (PID: 8536)

    • Process drops legitimate windows executable

      • install.exe (PID: 1788)
      • armsvc.exe (PID: 4584)
      • MicrosoftEdge_X64_130.0.2849.56.exe (PID: 8536)

    • Contacting a server suspected of hosting an CnC

      • install.exe (PID: 1788)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6484)

    • Drops 7-zip archiver for unpacking

      • install.exe (PID: 1788)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 6484)

  • INFO

    • Reads the computer name

      • install.exe (PID: 1788)
      • armsvc.exe (PID: 4584)
      • FlashPlayerUpdateService.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 948)
      • MicrosoftEdgeUpdate.exe (PID: 3648)
      • MicrosoftEdgeUpdate.exe (PID: 6776)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5792)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4836)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7132)
      • elevation_service.exe (PID: 1784)
      • GoogleUpdate.exe (PID: 6396)
      • GoogleUpdate.exe (PID: 6320)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • elevation_service.exe (PID: 6584)
      • MicrosoftEdgeUpdate.exe (PID: 6888)
      • GoogleUpdate.exe (PID: 2632)
      • GoogleCrashHandler.exe (PID: 5792)
      • GoogleUpdate.exe (PID: 3620)
      • GoogleCrashHandler64.exe (PID: 6392)
      • maintenanceservice.exe (PID: 2648)

    • Creates files or folders in the user directory

      • install.exe (PID: 1788)
      • GoogleUpdate.exe (PID: 2632)

    • Checks supported languages

      • install.exe (PID: 1788)
      • armsvc.exe (PID: 4584)
      • FlashPlayerUpdateService.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 948)
      • MicrosoftEdgeUpdate.exe (PID: 3648)
      • MicrosoftEdgeUpdate.exe (PID: 6776)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5792)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4836)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7132)
      • elevation_service.exe (PID: 1784)
      • GoogleUpdate.exe (PID: 6396)
      • MicrosoftEdgeUpdate.exe (PID: 6888)
      • GoogleUpdate.exe (PID: 6320)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • elevation_service.exe (PID: 6584)
      • maintenanceservice.exe (PID: 2648)
      • GoogleUpdate.exe (PID: 2632)
      • GoogleCrashHandler.exe (PID: 5792)
      • GoogleCrashHandler64.exe (PID: 6392)
      • GoogleUpdate.exe (PID: 3620)

    • Checks proxy server information

      • install.exe (PID: 1788)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 5004)
      • GoogleUpdate.exe (PID: 6396)
      • GoogleUpdate.exe (PID: 6320)
      • GoogleUpdate.exe (PID: 2632)
      • maintenanceservice.exe (PID: 2648)
      • GoogleUpdate.exe (PID: 3620)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 7148)

    • Executes as Windows Service

      • elevation_service.exe (PID: 1784)
      • elevation_service.exe (PID: 6584)
      • SearchIndexer.exe (PID: 8084)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 6128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:01:12 00:05:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 6144
InitializedDataSize: 5182976
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 11.0.0.0
ProductVersionNumber: 11.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: The MASM32 SDK
FileDescription: MASM32 Installation
FileVersion: 11
InternalName: Install
OriginalFileName: install.exe
LegalCopyright: © 2011 The MASM32 SDK
ProductName: MASM32 SDK
ProductVersion: 11
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
67
Malicious processes
23
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #M0YV install.exe #M0YV armsvc.exe #M0YV flashplayerupdateservice.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV fxssvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV googleupdate.exe no specs #M0YV microsoftedgeupdate.exe #M0YV elevation_service.exe no specs #M0YV googleupdate.exe #M0YV maintenanceservice.exe no specs googlecrashhandler.exe no specs #M0YV msdtc.exe no specs googlecrashhandler64.exe no specs #M0YV googleupdate.exe no specs #M0YV perceptionsimulationservice.exe no specs perfhost.exe no specs psexesvc.exe no specs locator.exe no specs microsoftedgeupdate.exe sensordataservice.exe no specs snmptrap.exe no specs spectrum.exe no specs ssh-agent.exe no specs tieringengineservice.exe no specs agentservice.exe no specs vds.exe no specs svchost.exe vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs Delivery Optimization User no specs searchindexer.exe no specs googleupdate.exe svchost.exe tstexe.exe no specs masm32ci.exe no specs updatersetup.exe no specs googleupdate.exe updater.exe updater.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs microsoftedge_x64_130.0.2849.56.exe setup.exe no specs setup.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe updater.exe no specs updater.exe no specs updater.exe no specs install.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
692"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x308,0x30c,0x310,0x304,0x314,0x896290,0x89629c,0x8962a8C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
131.0.6776.0
Modules
Images
c:\program files (x86)\google\googleupdater\131.0.6776.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
948"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svcC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1784"C:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exe"C:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\122.0.6261.70\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1788"C:\Users\admin\Desktop\install.exe" C:\Users\admin\Desktop\install.exe
explorer.exe
User:
admin
Company:
The MASM32 SDK
Integrity Level:
HIGH
Description:
MASM32 Installation
Version:
11.0
Modules
Images
c:\users\admin\desktop\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2360C:\WINDOWS\SysWow64\perfhost.exeC:\Windows\SysWOW64\perfhost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
x86 Performance Counter Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\perfhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
2632"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /crC:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2648"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
services.exe
User:
SYSTEM
Company:
Mozilla Foundation
Integrity Level:
SYSTEM
Exit code:
0
Version:
123.0
Modules
Images
c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
2928C:\WINDOWS\System32\GameInputSvc.exeC:\Windows\System32\GameInputSvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
GameInput Host Service
Version:
0.2309.19041.4046
Modules
Images
c:\windows\system32\gameinputsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
3620"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource coreC:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
28 383
Read events
24 083
Write events
4 204
Delete events
96

Modification events

(PID) Process:(4584) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
574328
(PID) Process:(948) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:writeName:omaha_version
Value:
1100B90003000100
(PID) Process:(948) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Booleans
Operation:writeName:is_system_install
Value:
01000000
(PID) Process:(948) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:writeName:goopdate_main
Value:
1500000000000000
(PID) Process:(948) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:writeName:goopdate_constructor
Value:
1500000000000000
(PID) Process:(948) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:writeName:windows_major_version
Value:
0A00000000000000
(PID) Process:(3648) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
Operation:writeName:InstallTime
Value:
(PID) Process:(6776) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6776) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6776) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}\InprocHandler32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
158
Suspicious files
79
Text files
1 072
Unknown types
0

Dropped files

PID
Process
Filename
Type
948MicrosoftEdgeUpdate.exeC:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logtext
MD5:837067F6EE2E4982576A67EF580B437E
SHA256:9485DDEC22761F6C18CCFD0A725AA1CF8E313FBF0CAC3F96616934CBE708D85E
1788install.exeC:\Windows\System32\alg.exeexecutable
MD5:57A281DEC38048F48658E9FF40AAD6A4
SHA256:F05CABBA4202698BAD54611CBDD5172B6B94221C0253276A09CA16864F9AACC5
1788install.exeC:\Windows\System32\msiexec.exeexecutable
MD5:2EA66429395343DB6F5EDA63CB487D62
SHA256:BBE1E8DF2D3041EB1EEEE6602AE19EBFF0F84B189BA838351335E66B837C9193
1788install.exeC:\Windows\System32\GameInputSvc.exeexecutable
MD5:FF3B00664BCE774F9EE7F39DE51B827C
SHA256:3CA8D4F23771A76B774E6B85A37CBFB354EDCE8310A7A231BAE83ADB10CFCC12
1788install.exeC:\Windows\System32\FXSSVC.exeexecutable
MD5:9B3E6055A18882C90D4FF27B1C7997B9
SHA256:A988AA511F215F0802D458F396AD47CCFD767C141BE68960574C75E151438E86
1788install.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:BD845DFF4B665A0CE54F59E91A83F1A3
SHA256:342DCB7694A7470E74875AA7065E80C3C4B863F64C45FCF33197A60A06FAA9A9
1788install.exeC:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeexecutable
MD5:536CE325DFFD108018294936EA75C253
SHA256:8954E6E077BB7D070B57CF6DB7C6040EBC11810DEDC4FF55900DB43C0BEAA341
1788install.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:D8F270394D9DFD49120C2FBDDEBC5B24
SHA256:A5C507EC98BBEA4C630F4352CB66FB499FB67FD901962646C3AB3DD8EEA9ACE1
1788install.exeC:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exeexecutable
MD5:A904BAD00073A7D3A0329C1260D1C6B9
SHA256:62C9E249065297B929829CD8BCA0258190ED14823A4630AFDA0B8CF10D29111B
1788install.exeC:\Windows\System32\AppVClient.exeexecutable
MD5:6634E7E46800986654051794A765567A
SHA256:8FF04A42DE7A22DCFD4331F5B81D1E7CDAD5B0C293609360D25BF2946C1A7EAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
446
TCP/UDP connections
171
DNS requests
142
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4584
armsvc.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/caipgmwq
unknown
unknown
1788
install.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/jlefmj
unknown
malicious
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4584
armsvc.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/pt
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1788
install.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/xfixqyeokrrhcn
unknown
unknown
4584
armsvc.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/dfrc
unknown
malicious
1788
install.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/ojphbqqai
unknown
unknown
1788
install.exe
POST
172.234.222.138:80
http://przvgke.biz/khpplcexqnfqxcr
unknown
unknown
7892
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/346ad9d1-746e-45c7-8fe0-d6c87a73a261?P1=1730934413&P2=404&P3=2&P4=mTipSB5gJPHyX23%2fZy%2f5i%2b7wKA7CPhJ4lZt0lUDWmHexwiIqtKAbX8gAOdj7vjoCA3BrpAZLU%2fnIS34IdKsi5w%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1252
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1788
install.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.128
  • 104.126.37.176
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.170
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.174
whitelisted
pywolwnvd.biz
  • 54.244.188.177
malicious
ssbzmoy.biz
  • 18.141.10.107
unknown
cvgrf.biz
  • 54.244.188.177
malicious
clients2.google.com
  • 142.250.186.174
whitelisted
npukfztj.biz
  • 44.221.84.105
unknown

Threats

PID
Process
Class
Message
2172
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2172
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
6484
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6484
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
install.exe