download:

/Haru01111/Black-Myth-Wukong-Repack/releases/download/Download/project.zip

Full analysis: https://app.any.run/tasks/6db1d3a6-2804-4f71-bc69-10b4fe10ff65
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 28, 2024, 13:22:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
crypto-regex
antivm
loader
opendir
github
rhadamanthys
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

5D00C857B6D88260D095DC1820919149

SHA1:

9D5CBA0DB62CDBAE2BF4028739CFF06B89554852

SHA256:

C68FD8EC9249CC2EE53C1EE523087DDF19974B45E3DD69603B1BBADEEC50D87F

SSDEEP:

196608:VBSe8h6tMvoQvw1gZ3HVCJadkrsTSruIt5A+ozfM:DQlvI+11CJadkw2dw+ozk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 5504)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 5376)
      • msedgewebview2.exe (PID: 5796)

    • Adds path to the Windows Defender exclusion list

      • myproject.exe (PID: 2660)
      • powershell.exe (PID: 1436)
      • driver1.exe (PID: 6240)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1436)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 4100)
      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 5144)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 4540)

    • Uses Task Scheduler to run other applications

      • myproject.exe (PID: 2660)

    • Actions looks like stealing of personal data

      • OOBE-Maintenance.exe (PID: 6476)

    • RHADAMANTHYS has been detected (SURICATA)

      • OpenWith.exe (PID: 448)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 6608)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6608)
      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Executable content was dropped or overwritten

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • setup.exe (PID: 6404)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Process drops legitimate windows executable

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • svchost.exe (PID: 812)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2684)
      • MicrosoftEdgeUpdate.exe (PID: 5072)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3316)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5504)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • msedgewebview2.exe (PID: 2232)
      • myproject.exe (PID: 4008)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 5700)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 5700)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 812)

    • There is functionality for VM detection (antiVM strings)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • There is functionality for VM detection (VMWare)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • Found regular expressions for crypto-addresses (YARA)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • There is functionality for VM detection (VirtualBox)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • Application launched itself

      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 4008)
      • powershell.exe (PID: 1436)
      • msedgewebview2.exe (PID: 6372)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 6916)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 1288)

    • Creates a software uninstall entry

      • setup.exe (PID: 6404)

    • Searches for installed software

      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 2040)

    • Starts POWERSHELL.EXE for commands execution

      • myproject.exe (PID: 2660)
      • powershell.exe (PID: 1436)
      • driver1.exe (PID: 6240)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 1436)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Uses WMIC.EXE to obtain a list of video controllers

      • myproject.exe (PID: 2660)

    • Read disk information to detect sandboxing environments

      • myproject.exe (PID: 2660)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 1436)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 32)

    • Uses WMIC.EXE to obtain Windows Installer data

      • myproject.exe (PID: 2660)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6240)

    • Get information on the list of running processes

      • myproject.exe (PID: 2660)

    • Connects to unusual port

      • myproject.exe (PID: 2660)
      • OpenWith.exe (PID: 448)

    • Adds/modifies Windows certificates

      • myproject.exe (PID: 2660)

    • The process checks if it is being run in the virtual environment

      • OpenWith.exe (PID: 448)

    • Contacting a server suspected of hosting an CnC

      • OpenWith.exe (PID: 448)

  • INFO

    • Reads the computer name

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 5072)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2684)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3972)
      • MicrosoftEdgeUpdate.exe (PID: 4068)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3316)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 5376)
      • msedgewebview2.exe (PID: 188)
      • myproject.exe (PID: 2660)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 1176)
      • msedgewebview2.exe (PID: 5796)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 6372)
      • myproject.exe (PID: 6232)
      • msedgewebview2.exe (PID: 6916)
      • driver1.exe (PID: 6240)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6608)

    • Checks supported languages

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 5072)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2684)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3972)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 4068)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3316)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • setup.exe (PID: 1568)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 1356)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 5376)
      • msedgewebview2.exe (PID: 188)
      • msedgewebview2.exe (PID: 6372)
      • msedgewebview2.exe (PID: 1128)
      • msedgewebview2.exe (PID: 2960)
      • myproject.exe (PID: 2660)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 7004)
      • msedgewebview2.exe (PID: 6292)
      • msedgewebview2.exe (PID: 5796)
      • msedgewebview2.exe (PID: 1176)
      • msedgewebview2.exe (PID: 6372)
      • msedgewebview2.exe (PID: 376)
      • msedgewebview2.exe (PID: 3180)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 6916)
      • msedgewebview2.exe (PID: 7084)
      • msedgewebview2.exe (PID: 7036)
      • driver1.exe (PID: 6240)
      • myproject.exe (PID: 6232)
      • msedgewebview2.exe (PID: 6480)
      • msedgewebview2.exe (PID: 6288)
      • twoface.exe (PID: 6312)
      • msedgewebview2.exe (PID: 2484)

    • Reads Environment values

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • myproject.exe (PID: 2660)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 5700)
      • myproject.exe (PID: 6232)

    • Manual execution by a user

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 5700)

    • Create files in a temporary directory

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • svchost.exe (PID: 812)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • Reads the software policy settings

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • slui.exe (PID: 2092)
      • slui.exe (PID: 252)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Reads the machine GUID from the registry

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 1568)
      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 1356)
      • msedgewebview2.exe (PID: 188)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 1176)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 1128)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 4008)
      • msedgewebview2.exe (PID: 6292)
      • msedgewebview2.exe (PID: 3180)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 7084)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • slui.exe (PID: 252)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • Reads Microsoft Office registry keys

      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1436)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 4100)
      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5144)
      • powershell.exe (PID: 4540)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6416)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1436)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 4100)
      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 5144)
      • powershell.exe (PID: 4540)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6416)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6240)
      • WMIC.exe (PID: 32)

    • Creates files in the program directory

      • myproject.exe (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:08:28 05:18:52
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: project/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
74
Malicious processes
14
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs THREAT myproject.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe slui.exe microsoftedge_x64_128.0.2739.42.exe setup.exe setup.exe no specs microsoftedgeupdate.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs THREAT myproject.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs myproject.exe no specs msedgewebview2.exe msedgewebview2.exe msedgewebview2.exe no specs wmic.exe no specs conhost.exe no specs myproject.exe msedgewebview2.exe msedgewebview2.exe msedgewebview2.exe no specs driver1.exe powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs twoface.exe no specs #RHADAMANTHYS openwith.exe msedgewebview2.exe no specs oobe-maintenance.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.exemyproject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
188"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView" --webview-exe-name=myproject.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2144,i,7110114573701800082,5758494966328432496,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
128.0.2739.42
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
252C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
368C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
myproject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
376C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=128.0.2739.42 --initial-client-data=0x194,0x198,0x19c,0x170,0x44,0x7fffd1f69fd8,0x7fffd1f69fe4,0x7fffd1f69ff0C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
128.0.2739.42
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
448"C:\WINDOWS\system32\openwith.exe"C:\Windows\SysWOW64\OpenWith.exe
myproject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOOBE-Maintenance.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
96 227
Read events
92 047
Write events
4 108
Delete events
72

Modification events

(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\project.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
218
Suspicious files
214
Text files
82
Unknown types
0

Dropped files

PID
Process
Filename
Type
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\myproject.exe
MD5:
SHA256:
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\p4lib.dllexecutable
MD5:211C207B439E7536E36C9B72742D380D
SHA256:F191532EF7781A5220A2C3A1124C7D35AD0999A0D96CE2D4855694B397732C7F
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\subtools\qwindowsvistastyle.dllexecutable
MD5:33BBBCF46418174C2E5803967AF6D1BA
SHA256:BE29D91C9EAC2BB826A011357D13593F216A68B55D8914EFFC480B61EA4348A5
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeexecutable
MD5:205590D4FB4B1914D2853AB7A9839CCF
SHA256:5F82471D58B6E700248D9602CE4A0A5CDA4D2E2863EF1EB9FEE4EFFCC07F3767
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\subtools\qgif.dllexecutable
MD5:F9BA44BB98F048E3B2F7E72D42A1A852
SHA256:DF50647B02ABF30CDA040460E9BE6D903CC7A3D07FD79C229CE136997BEAFD96
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\subtools\qico.dllexecutable
MD5:FAF4F9CB5A4B18DD786EFC180B9BECBD
SHA256:DDAFD14AC6215B2BA8AF3CBB0A251DFFC4D76B7C5D0F419D614991FE9D16A093
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\vpk.signaturestext
MD5:FB6A4F87C60DDA8D575DBF03DE8819D4
SHA256:7F13BC2F7E9E134969F69920C4E6415934B5237505D6B6C7CF88A1AFA69DC141
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\v8system.dllexecutable
MD5:ECEE079CB4CBDF0F01A6FEA56A307C36
SHA256:0424A29504A8F872497FA2D1274C9E84FB4635FA981FFABC04A113D848308070
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\psmachine_64.dllexecutable
MD5:D8D6BE5B6DA998E0048955A7F5727AFE
SHA256:ADF25844A96EFA821CB5A5816CC61C3C41F0D6B57BCA2F4EF55DF808B67B7D40
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\msedgeupdate.dllexecutable
MD5:5D89123F9B96098D8FAD74108BDD5F7E
SHA256:03C3C918886E58F096AA8E919B1E9F8DCD5A9F2A4765971049BF8DA305476F44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
46
DNS requests
31
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3708
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5724
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5724
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
812
svchost.exe
HEAD
200
2.19.126.157:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725456200&P2=404&P3=2&P4=QJIBdwkpMPofRZGIMeJxHAM3ZOPK4AOvJ1fUnPXn1m4ZhFOIKQhlDTq%2bl9SHJ8umxBkcR8sngJb41Gr05MacAg%3d%3d
unknown
whitelisted
812
svchost.exe
GET
200
2.19.126.157:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725456200&P2=404&P3=2&P4=QJIBdwkpMPofRZGIMeJxHAM3ZOPK4AOvJ1fUnPXn1m4ZhFOIKQhlDTq%2bl9SHJ8umxBkcR8sngJb41Gr05MacAg%3d%3d
unknown
whitelisted
812
svchost.exe
HEAD
200
23.48.23.56:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a50df300-a388-43f2-a3cd-e7b7e11aaa7c?P1=1725368067&P2=404&P3=2&P4=TA5O79kaS4HJnQgwf%2fG1ta4KRMwzSgMkIXwemiqu5LfePPONT49vzqiwPw4gVz3wHgQCluKGo6Ij%2fdLptA0Ysw%3d%3d
unknown
whitelisted
2660
myproject.exe
GET
200
147.45.47.37:1488
http://147.45.47.37:1488/moa/Tricky2.rar
unknown
suspicious
812
svchost.exe
GET
206
23.48.23.56:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a50df300-a388-43f2-a3cd-e7b7e11aaa7c?P1=1725368067&P2=404&P3=2&P4=TA5O79kaS4HJnQgwf%2fG1ta4KRMwzSgMkIXwemiqu5LfePPONT49vzqiwPw4gVz3wHgQCluKGo6Ij%2fdLptA0Ysw%3d%3d
unknown
whitelisted
2660
myproject.exe
GET
200
147.45.47.37:2001
http://147.45.47.37:2001/?reason=d29ya2VyODE2Y2htZWw=:MUQxRkIwQkItMjFCOS00RkMwLUIwMTctQTREQURBMjMxRTE3aWxvdmVpdA==
unknown
suspicious
812
svchost.exe
GET
206
23.48.23.56:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a50df300-a388-43f2-a3cd-e7b7e11aaa7c?P1=1725368067&P2=404&P3=2&P4=TA5O79kaS4HJnQgwf%2fG1ta4KRMwzSgMkIXwemiqu5LfePPONT49vzqiwPw4gVz3wHgQCluKGo6Ij%2fdLptA0Ysw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
6160
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6260
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3708
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3708
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
Potentially Bad Traffic
ET INFO Dotted Quad Host RAR Request
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
1 ETPRO signatures available at the full report
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming directory exists )
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView directory exists )
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView directory exists )
msedgewebview2.exe
[0828/132632.367:ERROR:exception_handler_server.cc(529)] ConnectNamedPipe: The pipe is being closed. (0xE8)
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView directory exists )
msedgewebview2.exe
[0828/132633.288:ERROR:exception_handler_server.cc(529)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/Haru01111/Black-Myth-Wukong-Repack/releases/download/Download/project.zip