URL:

https://gofile.io/d/3gr9zp

Full analysis: https://app.any.run/tasks/429b225a-b698-489e-bb04-ae17a56c8803
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 02:56:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
uac
stealer
generic
ims-api
crypto-regex
rust
Indicators:
MD5:

35B8B9DA1C63C9915783D507F0FB299F

SHA1:

8B41884908455119192D28114EE30CB1D3AA547E

SHA256:

87E1EC4B3E5D51B1CFFED978258C8B5C757840214E00A38BA649D391ECB019C5

SSDEEP:

3:N8rxL1WUuV:2Z7uV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 6320)
      • ComputerDefaults.exe (PID: 6260)
      • ComputerDefaults.exe (PID: 5564)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 7328)
      • reg.exe (PID: 8096)
      • reg.exe (PID: 6868)

    • Adds path to the Windows Defender exclusion list

      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)

    • Changes Windows Defender settings

      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)

    • Changes the autorun value in the registry

      • VolcanoUpdater.exe (PID: 5876)

    • Steals Discord credentials and data (YARA)

      • VolcanoUI.exe (PID: 7316)

    • Actions looks like stealing of personal data

      • VolcanoUI.exe (PID: 7316)

    • Steals credentials from Web Browsers

      • VolcanoUI.exe (PID: 7316)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 684)

    • Process drops python dynamic module

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 7240)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • Executable content was dropped or overwritten

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUpdater.exe (PID: 7240)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • Process drops legitimate windows executable

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • The process drops C-runtime libraries

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • There is functionality for taking screenshot (YARA)

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUI.exe (PID: 7316)

    • Loads Python modules

      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 4788)
      • VolcanoUpdater.exe (PID: 7232)
      • VolcanoUpdater.exe (PID: 7748)

    • Starts CMD.EXE for commands execution

      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 4788)
      • VolcanoUpdater.exe (PID: 7232)
      • VolcanoUpdater.exe (PID: 7748)

    • The process checks if it is being run in the virtual environment

      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 4788)
      • VolcanoUpdater.exe (PID: 7232)
      • VolcanoUpdater.exe (PID: 7748)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7840)
      • cmd.exe (PID: 1096)
      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 3908)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 7220)
      • cmd.exe (PID: 72)
      • cmd.exe (PID: 2216)

    • Changes default file association

      • reg.exe (PID: 7328)
      • reg.exe (PID: 8096)
      • reg.exe (PID: 6868)

    • Found strings related to reading or modifying Windows Defender settings

      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 4788)

    • Application launched itself

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 432)
      • cmd.exe (PID: 7372)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 2716)
      • cmd.exe (PID: 5268)

    • Script adds exclusion path to Windows Defender

      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)

    • Starts POWERSHELL.EXE for commands execution

      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)

    • Executing commands from a ".bat" file

      • VolcanoUpdater.exe (PID: 5876)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6684)

    • The executable file from the user directory is run by the CMD process

      • VolcanoUI.exe (PID: 7308)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6684)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 5172)

    • Gets system UUID (POWERSHELL)

      • powershell.exe (PID: 6820)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • VolcanoUI.exe (PID: 7316)

    • Found regular expressions for crypto-addresses (YARA)

      • VolcanoUI.exe (PID: 7316)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 7612)
      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 7240)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • identity_helper.exe (PID: 6340)
      • VolcanoUI.exe (PID: 7316)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 4788)
      • VolcanoUpdater.exe (PID: 2128)
      • VolcanoUpdater.exe (PID: 7748)
      • VolcanoUpdater.exe (PID: 7232)
      • VolcanoUpdater.exe (PID: 6192)

    • Application launched itself

      • msedge.exe (PID: 5168)
      • msedge.exe (PID: 7348)

    • Reads the computer name

      • identity_helper.exe (PID: 7612)
      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUpdater.exe (PID: 7240)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • identity_helper.exe (PID: 6340)
      • VolcanoUI.exe (PID: 7316)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 4788)
      • VolcanoUpdater.exe (PID: 7232)
      • VolcanoUpdater.exe (PID: 7748)
      • VolcanoUpdater.exe (PID: 2128)

    • Reads Environment values

      • identity_helper.exe (PID: 7612)
      • identity_helper.exe (PID: 6340)

    • Manual execution by a user

      • WinRAR.exe (PID: 684)
      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • WinRAR.exe (PID: 2232)
      • VolcanoUpdater.exe (PID: 6936)
      • powershell.exe (PID: 2216)
      • VolcanoUpdater.exe (PID: 7240)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)

    • Create files in a temporary directory

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUpdater.exe (PID: 7240)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • The sample compiled with english language support

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUpdater.exe (PID: 6192)
      • VolcanoUpdater.exe (PID: 2128)

    • PyInstaller has been detected (YARA)

      • VolcanoUpdater.exe (PID: 7656)
      • VolcanoUpdater.exe (PID: 7552)
      • VolcanoUpdater.exe (PID: 6936)
      • VolcanoUpdater.exe (PID: 7440)
      • VolcanoUI.exe (PID: 7308)
      • VolcanoUpdater.exe (PID: 1096)
      • VolcanoUpdater.exe (PID: 6292)
      • VolcanoUI.exe (PID: 7316)

    • Checks operating system version

      • VolcanoUpdater.exe (PID: 3620)
      • VolcanoUpdater.exe (PID: 5876)
      • VolcanoUI.exe (PID: 7316)
      • VolcanoUpdater.exe (PID: 6304)
      • VolcanoUpdater.exe (PID: 4788)
      • VolcanoUpdater.exe (PID: 7232)
      • VolcanoUpdater.exe (PID: 7748)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 6320)
      • ComputerDefaults.exe (PID: 6260)
      • ComputerDefaults.exe (PID: 5564)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6352)
      • powershell.exe (PID: 1712)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6352)
      • powershell.exe (PID: 1712)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 2216)

    • Launching a file from a Registry key

      • VolcanoUpdater.exe (PID: 5876)

    • Checks proxy server information

      • slui.exe (PID: 7612)
      • VolcanoUI.exe (PID: 7316)

    • Reads the software policy settings

      • slui.exe (PID: 7612)

    • Application based on Rust

      • VolcanoUI.exe (PID: 7316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
321
Monitored processes
164
Malicious processes
19
Suspicious processes
11

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs volcanoupdater.exe volcanoupdater.exe slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs volcanoupdater.exe volcanoupdater.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe volcanoupdater.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs volcanoupdater.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs volcanoupdater.exe volcanoui.exe taskkill.exe no specs msedge.exe no specs msedge.exe no specs volcanoupdater.exe volcanoupdater.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs volcanoui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs systeminfo.exe no specs tiworker.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs volcanoupdater.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe volcanoupdater.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs volcanoupdater.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe volcanoupdater.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs volcanoupdater.exe no specs cmd.exe no specs conhost.exe no specs volcanoupdater.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeVolcanoUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffc43b1f208,0x7ffc43b1f214,0x7ffc43b1f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5252,i,1459615554390719946,17517181916609232186,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
432C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeVolcanoUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4320,i,4073777530488146486,3602553204729129125,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\VolcanoUI.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
892C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeVolcanoUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1096C:\WINDOWS\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"C:\Windows\System32\cmd.exeVolcanoUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1096"C:\Users\admin\Desktop\VolcanoUI\VolcanoUpdater.exe" C:\Users\admin\Desktop\VolcanoUI\VolcanoUpdater.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\volcanoui\volcanoupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
69 620
Read events
69 513
Write events
82
Delete events
25

Modification events

(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5168) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D60B0630DB992F00
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656104
Operation:writeName:WindowTabManagerFileMappingId
Value:
{44320FB8-2BA2-4D8E-84A2-2A7200C46ADD}
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656104
Operation:writeName:WindowTabManagerFileMappingId
Value:
{17960080-DE12-4BF1-9F50-24D0E16F985D}
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656104
Operation:writeName:WindowTabManagerFileMappingId
Value:
{64074933-CFC7-4EB0-8C93-C1854718AAC2}
(PID) Process:(5168) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(5168) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D7264230DB992F00
Executable files
2 815
Suspicious files
382
Text files
7 996
Unknown types
78

Dropped files

PID
Process
Filename
Type
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF18d339.TMP
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF18d339.TMP
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF18d339.TMP
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF18d349.TMP
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF18d349.TMP
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5168msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
115
DNS requests
114
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3288
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2ef98485-cbad-4d99-b4c2-cd4abac73fb4?P1=1754501848&P2=404&P3=2&P4=E%2f%2b4Ug2njUSvWgqC%2fv3m7f03Vcy95Tc5vyilSTrmvS2w7kNUfqDKXN2QaBb3orzEVvZRdjt%2bYxSpVrfLaTJqMQ%3d%3d
unknown
whitelisted
3288
svchost.exe
GET
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2ef98485-cbad-4d99-b4c2-cd4abac73fb4?P1=1754501848&P2=404&P3=2&P4=E%2f%2b4Ug2njUSvWgqC%2fv3m7f03Vcy95Tc5vyilSTrmvS2w7kNUfqDKXN2QaBb3orzEVvZRdjt%2bYxSpVrfLaTJqMQ%3d%3d
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5556
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:TzG4ziLR-AiuBLl1SHGD1udpK0W5tjjAgwcYTqjckW0&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7952
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3288
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5556
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5556
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5556
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5556
msedge.exe
45.112.123.126:443
gofile.io
AMAZON-02
SG
whitelisted
5556
msedge.exe
92.123.104.53:443
copilot.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
gofile.io
  • 45.112.123.126
  • 51.75.242.210
whitelisted
copilot.microsoft.com
  • 92.123.104.53
  • 92.123.104.45
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.63
  • 92.123.104.62
  • 92.123.104.32
  • 92.123.104.31
  • 92.123.104.34
  • 92.123.104.33
  • 2.16.110.121
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.45
whitelisted
s.gofile.io
  • 51.159.98.203
whitelisted
api.gofile.io
  • 51.75.242.210
  • 45.112.123.126
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://gofile.io/d/3gr9zp