File name:

photopad.exe.7z

Full analysis: https://app.any.run/tasks/150c5437-a01b-44a1-8c36-d5264e7d10be
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 12, 2025, 16:20:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
loader
opendir
antivm
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3EEB3539F2E5FA398B069B3D05042A8F

SHA1:

C525B5D7338F37B0062C8BCBA1E6EDA49FBE6499

SHA256:

B22F2B5681C16F3B842E72CF04404DC479581AB95E3813F6B772CC1D47F7CFEF

SSDEEP:

98304:dLeOsbB9aRbTVdrfoRLGv+50sMeV6Y1WmNS3Yo0N6xjNVHlphtjkwA8IsQ62x20R:QwqXLn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6468)

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 4388)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)
      • photopad.exe (PID: 3692)

    • Executable content was dropped or overwritten

      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 3692)

    • Process requests binary or script from the Internet

      • photopad.exe (PID: 3692)

    • Searches for installed software

      • nchsetup.exe (PID: 4388)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 4388)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 4388)

    • Starts itself from another location

      • nchsetup.exe (PID: 4388)

    • There is functionality for VM detection antiVM strings (YARA)

      • photopad.exe (PID: 4536)

    • Potential Corporate Privacy Violation

      • photopad.exe (PID: 3692)

  • INFO

    • Reads the computer name

      • ppadsetup.exe (PID: 6012)
      • photopad.exe (PID: 3692)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)
      • photopad.exe (PID: 5564)
      • identity_helper.exe (PID: 8120)
      • identity_helper.exe (PID: 6824)

    • Checks supported languages

      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)
      • photopad.exe (PID: 5564)
      • identity_helper.exe (PID: 6824)
      • photopad.exe (PID: 3692)

    • Process checks computer location settings

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)

    • Manual execution by a user

      • photopad.exe (PID: 3692)
      • msedge.exe (PID: 5348)

    • Create files in a temporary directory

      • photopad.exe (PID: 3692)
      • photopad.exe (PID: 4536)
      • ppadsetup.exe (PID: 6012)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6468)
      • msedge.exe (PID: 3436)

    • The sample compiled with english language support

      • photopad.exe (PID: 3692)
      • WinRAR.exe (PID: 6468)
      • nchsetup.exe (PID: 4388)
      • msedge.exe (PID: 3436)
      • ppadsetup.exe (PID: 6012)

    • Creates files in the program directory

      • nchsetup.exe (PID: 4388)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)

    • Reads the software policy settings

      • nchsetup.exe (PID: 4388)

    • Creates files or folders in the user directory

      • photopad.exe (PID: 4536)

    • Application launched itself

      • msedge.exe (PID: 5432)
      • msedge.exe (PID: 7468)

    • Reads Environment values

      • identity_helper.exe (PID: 6824)
      • identity_helper.exe (PID: 8120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2025:02:12 16:07:46+00:00
ArchivedFileName: photopad.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
74
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe photopad.exe ppadsetup.exe no specs ppadsetup.exe nchsetup.exe photopad.exe photopad.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2328,i,10111365051433987415,1506311442974392565,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4508 --field-trial-handle=2328,i,10111365051433987415,1506311442974392565,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7016 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1220"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5056 --field-trial-handle=2328,i,10111365051433987415,1506311442974392565,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4028 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5368 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3536 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5776 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2728 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 029
Read events
15 652
Write events
354
Delete events
23

Modification events

(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\photopad.exe.7z
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
58
Suspicious files
774
Text files
129
Unknown types
0

Dropped files

PID
Process
Filename
Type
3692photopad.exeC:\Users\admin\AppData\Local\Temp\PhotoPad-3816-1\ppadsetup.exeexecutable
MD5:8DFA04E785C3AD4A98D1FE68741EAFFD
SHA256:EFB5067398882ADFB6F9CA0132093529FB28D0DB64C40257C053CDE6853F0AFF
6012ppadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:91C99BE1E96FFDBA96199F6C0357ED3A
SHA256:1A67D94B89CD8AD674E0564C08203680102D60B5CC8AE8BD01EE2B0AF25678D8
4388nchsetup.exeC:\Program Files (x86)\NCH Software\PhotoPad\photopad.exeexecutable
MD5:91C99BE1E96FFDBA96199F6C0357ED3A
SHA256:1A67D94B89CD8AD674E0564C08203680102D60B5CC8AE8BD01EE2B0AF25678D8
6012ppadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:E1E00268E7A59EBF356A027663E3B675
SHA256:23A39201AE04A4A963C19F718A1C71AD2B7C6EC916651F18F7876A38A5CAEEFF
6468WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6468.4128\photopad.exeexecutable
MD5:DDB2FC2C419ABE8401DA4D9E4401BDCA
SHA256:44138FC0DF042CF204D7B3D51C0BB35AF2AA6B894AA9D436C1DE36A9B39B4D8E
4388nchsetup.exeC:\Program Files (x86)\NCH Software\PhotoPad\shellmenu.dllexecutable
MD5:D6D6C2C67AF83C936EDD5B86961AA950
SHA256:4A4925604F7B5D6EEF38619DE608137B8BFF5514DFCF6B4E2EEC73F8FC6D9FCD
6012ppadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:65FB150ABCBAADECAA25A003C1634811
SHA256:35ED4096245CF8C7D1EB3F3D5C629F66654E8A0DD47CEC4A184F6A593F5775F6
4388nchsetup.exeC:\ProgramData\NCH Software\PhotoPad\firefoxsearchplugins\defaults\bing.xmltext
MD5:DAC916913D8B3724452CCD5EEA28D7F3
SHA256:59C5D3A1EE16D31B2084B7CE036923902AEB346B2F062F2A17D485C4AD5E8E65
4388nchsetup.exeC:\Users\admin\NCH Software Suite\Video Editing Software.lnkbinary
MD5:5DF3DB2DDC470933959770BFD4C0D6FB
SHA256:CFBECE277575AFD9E6C8BEEEF3880D256987C020E97A4D3AF72A5AC33B521EC0
4388nchsetup.exeC:\ProgramData\NCH Software\PhotoPad\firefoxsearchplugins\profile\duckduckgo.xmltext
MD5:832A8E0B9D1BAED7C745F1FD28B99966
SHA256:3B4F8A49AC28F1C15CEF19732A3A68F047D31DDE45F2EC0AABBDCFB4F3B24010
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
221
DNS requests
207
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
95.101.54.240:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3692
photopad.exe
GET
200
173.247.250.125:80
http://audiochannel.net/components/ppadsetup.exe
unknown
whitelisted
6340
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3692
photopad.exe
GET
200
173.247.250.125:80
http://www.audiochannel.net/versions/photopad.txt
unknown
whitelisted
4536
photopad.exe
GET
200
173.247.250.125:80
http://www.audiochannel.net/stock/audio/camera/camera1.ns
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5208
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.122.48:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
95.101.54.240:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1176
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.19.122.48
  • 2.19.122.45
  • 2.19.122.46
  • 2.19.122.44
  • 2.19.122.33
  • 2.19.122.49
  • 2.19.122.34
  • 2.19.122.39
  • 2.19.122.37
  • 95.100.248.212
  • 95.100.248.219
whitelisted
google.com
  • 142.250.185.78
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 23.53.193.109
whitelisted
crl.microsoft.com
  • 95.101.54.240
  • 95.101.54.224
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
  • 92.123.45.227
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.4
  • 20.190.159.131
  • 40.126.31.67
  • 20.190.159.130
whitelisted
go.microsoft.com
  • 23.40.141.150
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
3692
photopad.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
3692
photopad.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
photopad.exe.7z