File name:

UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe

Full analysis: https://app.any.run/tasks/6b783e84-8a82-47c8-b43b-80ee26ca8e50
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:45:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
arch-scr
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

949FAB8A38F9163BE3019D326CD2AB3C

SHA1:

BCC4C0E24496556C9EA72B904034FF7FAD21B40B

SHA256:

BD3DA4BB59C183FDC093FC526CD75BB2A7969A757A7E698598943A0D79163CF7

SSDEEP:

49152:DPNVkWShlX40vue4HyNt85q0lVlqQXO6ZCmSxbv0kFgQ0Qh1lhUq8s891D751h1O:DP/kWSA4D05zrlhO6smSlvMQ0QrTU15C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
    • The process creates files with name similar to system file names

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
    • Executable content was dropped or overwritten

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • vcredist_x86.exe (PID: 4540)
    • Starts CMD.EXE for commands execution

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • Ummy.exe (PID: 6552)
    • Get information on the list of running processes

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • cmd.exe (PID: 6892)
    • Process drops legitimate windows executable

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • Reads security settings of Internet Explorer

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • Setup.exe (PID: 5496)
    • Drops 7-zip archiver for unpacking

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
    • Starts a Microsoft application from unusual location

      • vcredist_x86.exe (PID: 4540)
      • vcredist_x86.exe (PID: 836)
    • Checks Windows Trust Settings

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • msiexec.exe (PID: 6348)
      • Setup.exe (PID: 5496)
    • Creates a software uninstall entry

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
    • The process drops C-runtime libraries

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • Creates file in the systems drive root

      • vcredist_x86.exe (PID: 4540)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1480)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 3736)
    • Application launched itself

      • Ummy.exe (PID: 6552)
  • INFO

    • Checks supported languages

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • vcredist_x86.exe (PID: 4540)
      • Setup.exe (PID: 5496)
      • msiexec.exe (PID: 6348)
      • Ummy.exe (PID: 7072)
      • Ummy.exe (PID: 7156)
      • Ummy.exe (PID: 4984)
      • Ummy.exe (PID: 6552)
      • Ummy.exe (PID: 4384)
    • The sample compiled with english language support

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • Create files in a temporary directory

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • Setup.exe (PID: 5496)
      • Ummy.exe (PID: 6552)
    • Reads the computer name

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • vcredist_x86.exe (PID: 4540)
      • Setup.exe (PID: 5496)
      • msiexec.exe (PID: 6348)
      • Ummy.exe (PID: 7156)
    • Reads the machine GUID from the registry

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • Setup.exe (PID: 5496)
      • msiexec.exe (PID: 6348)
      • Ummy.exe (PID: 6552)
    • Checks proxy server information

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • Ummy.exe (PID: 6552)
    • Reads the software policy settings

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • Setup.exe (PID: 5496)
      • msiexec.exe (PID: 6348)
      • Ummy.exe (PID: 6552)
    • Creates files or folders in the user directory

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
      • msiexec.exe (PID: 6348)
      • Ummy.exe (PID: 6552)
      • Ummy.exe (PID: 7156)
    • The process uses the downloaded file

      • UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe (PID: 3688)
    • The sample compiled with Italian language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with french language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with japanese language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with chinese language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with korean language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with spanish language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with russian language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • The sample compiled with german language support

      • vcredist_x86.exe (PID: 4540)
      • msiexec.exe (PID: 6348)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6348)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 6348)
    • Sends debugging messages

      • Setup.exe (PID: 5496)
    • Process checks computer location settings

      • Ummy.exe (PID: 4984)
      • Ummy.exe (PID: 6552)
      • Ummy.exe (PID: 4384)
    • Manual execution by a user

      • Ummy.exe (PID: 6552)
    • Application launched itself

      • msedge.exe (PID: 6720)
    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Ummy.exe (PID: 4384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductVersion: 1.17.2
ProductName: Ummy
LegalCopyright: Copyright © 2024 ITPRODUCTDEV LTD
FileVersion: 1.17.2
FileDescription: Ummy Desktop
CompanyName: ITPRODUCTDEV LTD
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.17.2.0
FileVersionNumber: 1.17.2.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x338f
UninitializedDataSize: 16384
InitializedDataSize: 473088
CodeSize: 26624
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2018:12:15 22:26:14+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
193
Monitored processes
63
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ummyvd-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs vcredist_x86.exe no specs vcredist_x86.exe setup.exe msiexec.exe ummy.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs ummy.exe no specs ummy.exe ummy.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs ummy.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3688"C:\Users\admin\AppData\Local\Temp\UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe" C:\Users\admin\AppData\Local\Temp\UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
explorer.exe
User:
admin
Company:
ITPRODUCTDEV LTD
Integrity Level:
MEDIUM
Description:
Ummy Desktop
Exit code:
0
Version:
1.17.2
Modules
Images
c:\users\admin\appdata\local\temp\ummyvd-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5432"C:\WINDOWS\system32\cmd.exe" /C more < "C:\Users\admin\AppData\Local\Temp\UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe:Zone.Identifier"C:\Windows\SysWOW64\cmd.exeUmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6892cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Ummy.exe" | %SYSTEMROOT%\System32\find.exe "Ummy.exe"C:\Windows\SysWOW64\cmd.exeUmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6948tasklist /FI "USERNAME eq admin" /FI "IMAGENAME eq Ummy.exe" C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6956C:\WINDOWS\System32\find.exe "Ummy.exe"C:\Windows\SysWOW64\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\find.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
836"C:\Users\admin\AppData\Local\Temp\nse543F.tmp\vcredist_x86.exe" /install /quiet /norestartC:\Users\admin\AppData\Local\Temp\nse543F.tmp\vcredist_x86.exeUmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2010 x86 Redistributable Setup
Exit code:
3221226540
Version:
10.0.40219.325
Modules
Images
c:\users\admin\appdata\local\temp\nse543f.tmp\vcredist_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4540"C:\Users\admin\AppData\Local\Temp\nse543F.tmp\vcredist_x86.exe" /install /quiet /norestartC:\Users\admin\AppData\Local\Temp\nse543F.tmp\vcredist_x86.exe
UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2010 x86 Redistributable Setup
Exit code:
0
Version:
10.0.40219.325
Modules
Images
c:\users\admin\appdata\local\temp\nse543f.tmp\vcredist_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5496c:\959e381ca42ed7885589acedec0a\Setup.exe /install /quiet /norestartC:\959e381ca42ed7885589acedec0a\Setup.exe
vcredist_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Exit code:
0
Version:
10.0.40219.325 built by: SP1LDR
Modules
Images
c:\959e381ca42ed7885589acedec0a\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
20 285
Read events
19 636
Write events
607
Delete events
42

Modification events

(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\589bbc75-bab8-5041-bad3-2b463b503e06
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\ummy
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Ummy
Operation:writeName:vid
Value:
148
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\589bbc75-bab8-5041-bad3-2b463b503e06
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\ummy\uninstallerIcon.ico
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\589bbc75-bab8-5041-bad3-2b463b503e06
Operation:writeName:Publisher
Value:
ITPRODUCTDEV LTD
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\589bbc75-bab8-5041-bad3-2b463b503e06
Operation:writeName:NoModify
Value:
1
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\589bbc75-bab8-5041-bad3-2b463b503e06
Operation:writeName:NoRepair
Value:
1
(PID) Process:(3688) UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeKey:HKEY_CURRENT_USER\SOFTWARE\589bbc75-bab8-5041-bad3-2b463b503e06
Operation:writeName:KeepShortcuts
Value:
true
Executable files
96
Suspicious files
463
Text files
156
Unknown types
4

Dropped files

PID
Process
Filename
Type
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ummy-1.17.2-ia32.nsis[1].7z
MD5:
SHA256:
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Temp\nse543F.tmp\package.7z
MD5:
SHA256:
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Temp\nse543F.tmp\7z-out\icudtl.dat
MD5:
SHA256:
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Temp\nse543F.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:623C118BE47301CE2F9ABDAAE8FA93F1
SHA256:68CB973ABF44956D3D2C87D3BA5A9744DB920B0DBEAB20DA90858EC5A4522865
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:6C267D0F5E9DB296FEBA42DA9E43DEDE
SHA256:5E06E6FF173B4937A584980B2ABA178984EA8FA30822F00E70E46DC712424627
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:92B839135741069B05829B07B6F3F3FB
SHA256:4AE12FEDBB424DA1938E2BF5B343DC175D9CDAAFD4123715BE68DDA9BB2F18C5
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Temp\nse543F.tmp\nsExec.dllexecutable
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2
SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Temp\nse543F.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
3688UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exeC:\Users\admin\AppData\Local\Temp\nse543F.tmp\7z-out\locales\bg.pakbinary
MD5:9C5A545DA2150EAE00A0240097FD423F
SHA256:A47C73AE35583C284941793A1ED8B80B3BC8A3E2AC1A049354A3B1C408232B00
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
101
DNS requests
91
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5568
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3688
UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
GET
200
104.21.1.194:80
http://cdn-televzr.com/ummy/ummy-1.17.2-ia32.nsis.7z
unknown
6244
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3688
UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6348
msiexec.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
whitelisted
5568
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3688
UmmyVD-[ed24b3e43be1a42842f448e769eb8152,148,,,].exe
GET
200
172.217.16.131:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2164
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.146
  • 23.48.23.147
  • 23.48.23.139
  • 23.48.23.137
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.145
  • 23.48.23.140
  • 23.48.23.193
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.171
  • 104.126.37.163
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.123
  • 104.126.37.146
  • 104.126.37.161
  • 104.126.37.179
  • 104.126.37.147
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.176
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.185
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.76
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
www.google-analytics.com
  • 172.217.16.142
whitelisted
ocsp.pki.goog
  • 142.250.184.227
whitelisted
c.pki.goog
  • 172.217.16.131
whitelisted

Threats

No threats detected
Process
Message
Setup.exe
The operation completed successfully.