File name:

photopad.exe.7z

Full analysis: https://app.any.run/tasks/150c5437-a01b-44a1-8c36-d5264e7d10be
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 12, 2025, 16:20:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
loader
opendir
antivm
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3EEB3539F2E5FA398B069B3D05042A8F

SHA1:

C525B5D7338F37B0062C8BCBA1E6EDA49FBE6499

SHA256:

B22F2B5681C16F3B842E72CF04404DC479581AB95E3813F6B772CC1D47F7CFEF

SSDEEP:

98304:dLeOsbB9aRbTVdrfoRLGv+50sMeV6Y1WmNS3Yo0N6xjNVHlphtjkwA8IsQ62x20R:QwqXLn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6468)

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 4388)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • photopad.exe (PID: 3692)

    • Potential Corporate Privacy Violation

      • photopad.exe (PID: 3692)

    • Executable content was dropped or overwritten

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)

    • Reads security settings of Internet Explorer

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 4388)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 4388)

    • Searches for installed software

      • nchsetup.exe (PID: 4388)

    • Starts itself from another location

      • nchsetup.exe (PID: 4388)

    • There is functionality for VM detection antiVM strings (YARA)

      • photopad.exe (PID: 4536)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6468)
      • msedge.exe (PID: 3436)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6468)
      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • msedge.exe (PID: 3436)

    • Create files in a temporary directory

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)
      • photopad.exe (PID: 4536)

    • Reads the computer name

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)
      • photopad.exe (PID: 5564)
      • identity_helper.exe (PID: 6824)
      • identity_helper.exe (PID: 8120)

    • Manual execution by a user

      • photopad.exe (PID: 3692)
      • msedge.exe (PID: 5348)

    • Checks supported languages

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)
      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)
      • photopad.exe (PID: 5564)
      • identity_helper.exe (PID: 6824)

    • Process checks computer location settings

      • photopad.exe (PID: 3692)
      • ppadsetup.exe (PID: 6012)

    • Creates files in the program directory

      • nchsetup.exe (PID: 4388)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 4388)
      • photopad.exe (PID: 4536)

    • Reads the software policy settings

      • nchsetup.exe (PID: 4388)

    • Application launched itself

      • msedge.exe (PID: 5432)
      • msedge.exe (PID: 7468)

    • Reads Environment values

      • identity_helper.exe (PID: 6824)
      • identity_helper.exe (PID: 8120)

    • Creates files or folders in the user directory

      • photopad.exe (PID: 4536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2025:02:12 16:07:46+00:00
ArchivedFileName: photopad.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
74
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe photopad.exe ppadsetup.exe no specs ppadsetup.exe nchsetup.exe photopad.exe photopad.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2328,i,10111365051433987415,1506311442974392565,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4508 --field-trial-handle=2328,i,10111365051433987415,1506311442974392565,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7016 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1220"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5056 --field-trial-handle=2328,i,10111365051433987415,1506311442974392565,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4028 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5368 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3536 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5776 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2728 --field-trial-handle=2300,i,11898111135720910708,11423603495060026815,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 029
Read events
15 652
Write events
354
Delete events
23

Modification events

(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\photopad.exe.7z
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6468) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
58
Suspicious files
774
Text files
129
Unknown types
0

Dropped files

PID
Process
Filename
Type
6012ppadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:65FB150ABCBAADECAA25A003C1634811
SHA256:35ED4096245CF8C7D1EB3F3D5C629F66654E8A0DD47CEC4A184F6A593F5775F6
6012ppadsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:91C99BE1E96FFDBA96199F6C0357ED3A
SHA256:1A67D94B89CD8AD674E0564C08203680102D60B5CC8AE8BD01EE2B0AF25678D8
6468WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6468.4128\photopad.exeexecutable
MD5:DDB2FC2C419ABE8401DA4D9E4401BDCA
SHA256:44138FC0DF042CF204D7B3D51C0BB35AF2AA6B894AA9D436C1DE36A9B39B4D8E
4388nchsetup.exeC:\ProgramData\NCH Software\PhotoPad\firefoxsearchplugins\defaults\yahoo.xmltext
MD5:7BB6B939749D3AC9FF863A848C0FE4FA
SHA256:2275146F58CC10CCAF1849F1A001EDAD63B41C0EE73D159C4018B3650B337801
4388nchsetup.exeC:\Users\Public\Desktop\PhotoPad Image Editor.lnkbinary
MD5:1DA93D6807BD2BB4946018147C227673
SHA256:444ED8E263704692764D2C7DE1FDF6AAA568C1B14444D8BF7E8A9B79DFACDA4E
4388nchsetup.exeC:\ProgramData\NCH Software\PhotoPad\firefoxsearchplugins\profile\duckduckgo.xmltext
MD5:832A8E0B9D1BAED7C745F1FD28B99966
SHA256:3B4F8A49AC28F1C15CEF19732A3A68F047D31DDE45F2EC0AABBDCFB4F3B24010
4388nchsetup.exeC:\ProgramData\NCH Software\PhotoPad\firefoxsearchplugins\profile\nchfastsearch.xmltext
MD5:DA1623BC98A25180C0A4D2BF5C141742
SHA256:5325292AC0303D0D66FA098B0C8F8304D375E19D26C174BB4478DA0BA01416B2
4388nchsetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoPad Image Editor.lnkbinary
MD5:50B7BDA331117DB8BDD57C4D4AFD89CD
SHA256:C7210B35C848CD41BC18D58D4A52E53FAA48FF954B67B9C7E3C8692C4FEACB1D
4388nchsetup.exeC:\Users\admin\NCH Software Suite\Video Editing Software.lnkbinary
MD5:5DF3DB2DDC470933959770BFD4C0D6FB
SHA256:CFBECE277575AFD9E6C8BEEEF3880D256987C020E97A4D3AF72A5AC33B521EC0
4388nchsetup.exeC:\Users\Public\Desktop\NCH Suite.lnkbinary
MD5:C1EB2D2F0DF035CE33CC6B29A9292040
SHA256:8B5E18F156DAA1376B4A8EBD3C4288FED2D5DED36008FC6F83070A54107F31C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
221
DNS requests
207
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
95.101.54.240:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3692
photopad.exe
GET
200
173.247.250.125:80
http://www.audiochannel.net/versions/photopad.txt
unknown
whitelisted
6340
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3692
photopad.exe
GET
200
173.247.250.125:80
http://audiochannel.net/components/ppadsetup.exe
unknown
whitelisted
7700
msedge.exe
GET
304
23.53.193.109:80
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5208
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.122.48:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
95.101.54.240:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1176
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.19.122.48
  • 2.19.122.45
  • 2.19.122.46
  • 2.19.122.44
  • 2.19.122.33
  • 2.19.122.49
  • 2.19.122.34
  • 2.19.122.39
  • 2.19.122.37
  • 95.100.248.212
  • 95.100.248.219
whitelisted
google.com
  • 142.250.185.78
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 23.53.193.109
whitelisted
crl.microsoft.com
  • 95.101.54.240
  • 95.101.54.224
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
  • 92.123.45.227
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.4
  • 20.190.159.131
  • 40.126.31.67
  • 20.190.159.130
whitelisted
go.microsoft.com
  • 23.40.141.150
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
3692
photopad.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
3692
photopad.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
photopad.exe.7z