File name:

MalwareSample_DownloadAssistant.zip

Full analysis: https://app.any.run/tasks/c3e18fe8-23ec-4cdc-8dc2-1b1df9a64c34
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 12, 2025, 16:40:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
downloadassistant
adware
inno
installer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

24AAFF49DEEA0280691EF00B127A20E6

SHA1:

0E3E00C739229B20D983748EAB41F5DFB0D1514B

SHA256:

A2066F122E1C22B8F990AE8B06C1715C656FDD0DE60CD0D09A6757B9CDFC2B59

SSDEEP:

98304:RYA+s+cgy/hJHRq4aOx+5UTzx9/Wo7QHLxYFDz7HlWt3xZ29F5K8Mxu2EIlu3pNZ:Wbc7kQ4pSY6NecmpE0/k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6584)

    • DOWNLOADASSISTANT mutex has been found

      • rebuilder_2K068DgOTV.tmp (PID: 6184)
      • trueimagewdedition675.exe (PID: 1812)

    • ADWARE has been detected (SURICATA)

      • trueimagewdedition675.exe (PID: 1812)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rebuilder_2K068DgOTV.exe (PID: 4892)
      • rebuilder_2K068DgOTV.exe (PID: 920)
      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • Reads security settings of Internet Explorer

      • rebuilder_2K068DgOTV.tmp (PID: 6300)
      • ShellExperienceHost.exe (PID: 1532)

    • Reads the Windows owner or organization settings

      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • Process drops legitimate windows executable

      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • The process drops C-runtime libraries

      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • Executes application which crashes

      • trueimagewdedition675.exe (PID: 1812)

    • Access to an unwanted program domain was detected

      • trueimagewdedition675.exe (PID: 1812)

  • INFO

    • The sample compiled with english language support

      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6584)

    • Checks supported languages

      • rebuilder_2K068DgOTV.exe (PID: 4892)
      • rebuilder_2K068DgOTV.tmp (PID: 6300)
      • rebuilder_2K068DgOTV.exe (PID: 920)
      • rebuilder_2K068DgOTV.tmp (PID: 6184)
      • trueimagewdedition675.exe (PID: 1812)
      • ShellExperienceHost.exe (PID: 1532)

    • Reads the computer name

      • rebuilder_2K068DgOTV.tmp (PID: 6300)
      • rebuilder_2K068DgOTV.tmp (PID: 6184)
      • trueimagewdedition675.exe (PID: 1812)
      • ShellExperienceHost.exe (PID: 1532)

    • Create files in a temporary directory

      • rebuilder_2K068DgOTV.exe (PID: 4892)
      • rebuilder_2K068DgOTV.exe (PID: 920)
      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • Manual execution by a user

      • rebuilder_2K068DgOTV.exe (PID: 4892)

    • Process checks computer location settings

      • rebuilder_2K068DgOTV.tmp (PID: 6300)

    • Creates files or folders in the user directory

      • rebuilder_2K068DgOTV.tmp (PID: 6184)
      • WerFault.exe (PID: 5408)
      • WerFault.exe (PID: 6512)
      • WerFault.exe (PID: 2092)
      • WerFault.exe (PID: 4164)
      • WerFault.exe (PID: 5968)
      • WerFault.exe (PID: 5360)
      • WerFault.exe (PID: 6424)
      • WerFault.exe (PID: 2616)
      • WerFault.exe (PID: 4180)

    • Creates a software uninstall entry

      • rebuilder_2K068DgOTV.tmp (PID: 6184)

    • Detects InnoSetup installer (YARA)

      • rebuilder_2K068DgOTV.exe (PID: 4892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:05:12 16:34:00
ZipCRC: 0xee34f9dd
ZipCompressedSize: 7464260
ZipUncompressedSize: 7487626
ZipFileName: rebuilder_2K068DgOTV.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
21
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs rebuilder_2k068dgotv.exe rebuilder_2k068dgotv.tmp no specs rebuilder_2k068dgotv.exe #DOWNLOADASSISTANT rebuilder_2k068dgotv.tmp #DOWNLOADASSISTANT trueimagewdedition675.exe werfault.exe no specs svchost.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs shellexperiencehost.exe no specs werfault.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Users\admin\Desktop\rebuilder_2K068DgOTV.exe" /SPAWNWND=$3024C /NOTIFYWND=$D02AE C:\Users\admin\Desktop\rebuilder_2K068DgOTV.exe
rebuilder_2K068DgOTV.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
True Image WD Edition Setup
Version:
Modules
Images
c:\users\admin\desktop\rebuilder_2k068dgotv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1532"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
1676"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1812"C:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\trueimagewdedition675.exe" c3a7f6f8517555bd86e9608f76bf7a19C:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\trueimagewdedition675.exe
rebuilder_2K068DgOTV.tmp
User:
admin
Integrity Level:
HIGH
Version:
21.0.1.675
Modules
Images
c:\users\admin\appdata\local\true image wd edition 21.0.1.675\trueimagewdedition675.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
2092C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1812 -s 1100C:\Windows\SysWOW64\WerFault.exetrueimagewdedition675.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2616C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1812 -s 1324C:\Windows\SysWOW64\WerFault.exetrueimagewdedition675.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2616C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1812 -s 996C:\Windows\SysWOW64\WerFault.exetrueimagewdedition675.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4164C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1812 -s 1032C:\Windows\SysWOW64\WerFault.exetrueimagewdedition675.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4180C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1812 -s 1332C:\Windows\SysWOW64\WerFault.exetrueimagewdedition675.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
21 590
Read events
21 476
Write events
81
Delete events
33

Modification events

(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\MalwareSample_DownloadAssistant.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
31
Suspicious files
33
Text files
11
Unknown types
1

Dropped files

PID
Process
Filename
Type
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\uninstall\is-HUNUN.tmpexecutable
MD5:D93CF1B42A548F3B215D2186994D2620
SHA256:B50F766773B85D7866B9A93B46A4C5729E5ACED76009ADBC69219A2D2C8813A1
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\libEGL.dllexecutable
MD5:EAE56B896A718C3BC87A4253832A5650
SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\uninstall\unins000.exeexecutable
MD5:D93CF1B42A548F3B215D2186994D2620
SHA256:B50F766773B85D7866B9A93B46A4C5729E5ACED76009ADBC69219A2D2C8813A1
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\is-IM1HF.tmpexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\is-HRP1R.tmpexecutable
MD5:EAE56B896A718C3BC87A4253832A5650
SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\icuin51.dllexecutable
MD5:A7F201C0B9AC05E950ECC55D4403EC16
SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
4892rebuilder_2K068DgOTV.exeC:\Users\admin\AppData\Local\Temp\is-1VTEC.tmp\rebuilder_2K068DgOTV.tmpexecutable
MD5:A7FE2A915B669ECBFEAB097C1166B3AA
SHA256:2ABB9D391A7E1298D45E2AB720DD3B29109C110DB4651B1C6DA6BE7C205FC956
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\Temp\is-IC32J.tmp\_isetup\_setup64.tmpexecutable
MD5:4FF75F505FDDCC6A9AE62216446205D9
SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
6184rebuilder_2K068DgOTV.tmpC:\Users\admin\AppData\Local\True Image WD Edition 21.0.1.675\libGLESv2.dllexecutable
MD5:A73EE126B2E6D43182D4C3482899D338
SHA256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
920rebuilder_2K068DgOTV.exeC:\Users\admin\AppData\Local\Temp\is-LNARD.tmp\rebuilder_2K068DgOTV.tmpexecutable
MD5:A7FE2A915B669ECBFEAB097C1166B3AA
SHA256:2ABB9D391A7E1298D45E2AB720DD3B29109C110DB4651B1C6DA6BE7C205FC956
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
22
DNS requests
14
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1812
trueimagewdedition675.exe
POST
104.21.80.1:80
http://start7345724.ru/new/net_api
unknown
unknown
1812
trueimagewdedition675.exe
POST
104.21.80.1:80
http://start7345724.ru/new/net_api
unknown
unknown
6036
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6036
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1812
trueimagewdedition675.exe
104.21.80.1:80
start7345724.ru
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.65
  • 20.190.160.67
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
start7345724.ru
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.96.1
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (start7345724 .ru)
1812
trueimagewdedition675.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] DownloadAssistant HTTP POST Request
1812
trueimagewdedition675.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] DownloadAssistant HTTP POST Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MalwareSample_DownloadAssistant.zip