download:

/Haru01111/Black-Myth-Wukong-Repack/releases/download/Download/project.zip

Full analysis: https://app.any.run/tasks/6db1d3a6-2804-4f71-bc69-10b4fe10ff65
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 28, 2024, 13:22:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
crypto-regex
antivm
loader
opendir
github
rhadamanthys
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

5D00C857B6D88260D095DC1820919149

SHA1:

9D5CBA0DB62CDBAE2BF4028739CFF06B89554852

SHA256:

C68FD8EC9249CC2EE53C1EE523087DDF19974B45E3DD69603B1BBADEEC50D87F

SSDEEP:

196608:VBSe8h6tMvoQvw1gZ3HVCJadkrsTSruIt5A+ozfM:DQlvI+11CJadkw2dw+ozk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 5504)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 5376)
      • msedgewebview2.exe (PID: 5796)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1436)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 4100)
      • powershell.exe (PID: 5144)
      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 4540)
      • powershell.exe (PID: 6416)

    • Adds path to the Windows Defender exclusion list

      • myproject.exe (PID: 2660)
      • powershell.exe (PID: 1436)
      • driver1.exe (PID: 6240)

    • Uses Task Scheduler to run other applications

      • myproject.exe (PID: 2660)

    • RHADAMANTHYS has been detected (SURICATA)

      • OpenWith.exe (PID: 448)

    • Actions looks like stealing of personal data

      • OOBE-Maintenance.exe (PID: 6476)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 6608)

    • Process drops legitimate windows executable

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • svchost.exe (PID: 812)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6608)
      • myproject.exe (PID: 4008)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5504)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 5072)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2684)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3316)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • msedgewebview2.exe (PID: 2232)
      • myproject.exe (PID: 4008)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 5700)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 5700)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 812)

    • There is functionality for VM detection (VirtualBox)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • There is functionality for VM detection (antiVM strings)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • There is functionality for VM detection (VMWare)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • Found regular expressions for crypto-addresses (YARA)

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 2660)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 1288)

    • Application launched itself

      • setup.exe (PID: 6404)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • msedgewebview2.exe (PID: 2232)
      • myproject.exe (PID: 4008)
      • msedgewebview2.exe (PID: 2040)
      • powershell.exe (PID: 1436)
      • msedgewebview2.exe (PID: 6372)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 6916)

    • Creates a software uninstall entry

      • setup.exe (PID: 6404)

    • Searches for installed software

      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 2040)

    • Starts POWERSHELL.EXE for commands execution

      • myproject.exe (PID: 2660)
      • powershell.exe (PID: 1436)
      • driver1.exe (PID: 6240)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 1436)

    • Script adds exclusion path to Windows Defender

      • myproject.exe (PID: 2660)
      • powershell.exe (PID: 1436)
      • driver1.exe (PID: 6240)

    • Read disk information to detect sandboxing environments

      • myproject.exe (PID: 2660)

    • Uses WMIC.EXE to obtain a list of video controllers

      • myproject.exe (PID: 2660)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6240)

    • Get information on the list of running processes

      • myproject.exe (PID: 2660)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 32)

    • Uses WMIC.EXE to obtain Windows Installer data

      • myproject.exe (PID: 2660)

    • Connects to unusual port

      • myproject.exe (PID: 2660)
      • OpenWith.exe (PID: 448)

    • Adds/modifies Windows certificates

      • myproject.exe (PID: 2660)

    • Contacting a server suspected of hosting an CnC

      • OpenWith.exe (PID: 448)

    • The process checks if it is being run in the virtual environment

      • OpenWith.exe (PID: 448)

  • INFO

    • Create files in a temporary directory

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • svchost.exe (PID: 812)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • Reads the computer name

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2684)
      • MicrosoftEdgeUpdate.exe (PID: 5072)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3316)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3972)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 4068)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 5376)
      • msedgewebview2.exe (PID: 188)
      • myproject.exe (PID: 2660)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 1176)
      • msedgewebview2.exe (PID: 5796)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 6372)
      • myproject.exe (PID: 6232)
      • msedgewebview2.exe (PID: 6916)
      • driver1.exe (PID: 6240)

    • Reads the software policy settings

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • slui.exe (PID: 252)
      • slui.exe (PID: 2092)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Checks supported languages

      • MicrosoftEdgeWebview2Setup.exe (PID: 368)
      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 5072)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2684)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3316)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3972)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 4068)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 6404)
      • setup.exe (PID: 1568)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 1356)
      • msedgewebview2.exe (PID: 5376)
      • msedgewebview2.exe (PID: 188)
      • msedgewebview2.exe (PID: 6372)
      • msedgewebview2.exe (PID: 1128)
      • myproject.exe (PID: 2660)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 2960)
      • msedgewebview2.exe (PID: 5796)
      • msedgewebview2.exe (PID: 1176)
      • msedgewebview2.exe (PID: 7004)
      • msedgewebview2.exe (PID: 6292)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 6372)
      • msedgewebview2.exe (PID: 3180)
      • msedgewebview2.exe (PID: 6916)
      • myproject.exe (PID: 6232)
      • msedgewebview2.exe (PID: 7036)
      • msedgewebview2.exe (PID: 7084)
      • msedgewebview2.exe (PID: 376)
      • driver1.exe (PID: 6240)
      • msedgewebview2.exe (PID: 2484)
      • msedgewebview2.exe (PID: 6480)
      • twoface.exe (PID: 6312)
      • msedgewebview2.exe (PID: 6288)

    • Reads Environment values

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • myproject.exe (PID: 2660)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 5700)
      • myproject.exe (PID: 6232)

    • Manual execution by a user

      • myproject.exe (PID: 4008)
      • myproject.exe (PID: 5700)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6608)

    • Reads the machine GUID from the registry

      • myproject.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)
      • myproject.exe (PID: 2660)
      • driver1.exe (PID: 6240)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • MicrosoftEdge_X64_128.0.2739.42.exe (PID: 6364)
      • setup.exe (PID: 1568)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 1356)
      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 188)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 1176)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • setup.exe (PID: 6404)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 1128)
      • myproject.exe (PID: 4008)
      • msedgewebview2.exe (PID: 2040)
      • msedgewebview2.exe (PID: 6292)
      • msedgewebview2.exe (PID: 3180)
      • myproject.exe (PID: 5700)
      • msedgewebview2.exe (PID: 7084)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 6464)
      • MicrosoftEdgeUpdate.exe (PID: 1288)
      • slui.exe (PID: 252)
      • MicrosoftEdgeUpdate.exe (PID: 6724)
      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • Reads Microsoft Office registry keys

      • msedgewebview2.exe (PID: 2232)
      • msedgewebview2.exe (PID: 2040)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1436)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 4100)
      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 5144)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 4540)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1436)
      • powershell.exe (PID: 6748)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 4100)
      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 4540)
      • powershell.exe (PID: 5144)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6240)
      • WMIC.exe (PID: 32)

    • Creates files in the program directory

      • myproject.exe (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:08:28 05:18:52
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: project/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
74
Malicious processes
14
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs THREAT myproject.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe slui.exe microsoftedge_x64_128.0.2739.42.exe setup.exe setup.exe no specs microsoftedgeupdate.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs THREAT myproject.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs myproject.exe no specs msedgewebview2.exe msedgewebview2.exe msedgewebview2.exe no specs wmic.exe no specs conhost.exe no specs myproject.exe msedgewebview2.exe msedgewebview2.exe msedgewebview2.exe no specs driver1.exe powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs twoface.exe no specs #RHADAMANTHYS openwith.exe msedgewebview2.exe no specs oobe-maintenance.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.exemyproject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
188"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView" --webview-exe-name=myproject.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2144,i,7110114573701800082,5758494966328432496,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
128.0.2739.42
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
252C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
368C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
myproject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
376C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=128.0.2739.42 --initial-client-data=0x194,0x198,0x19c,0x170,0x44,0x7fffd1f69fd8,0x7fffd1f69fe4,0x7fffd1f69ff0C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\128.0.2739.42\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
128.0.2739.42
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\128.0.2739.42\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
448"C:\WINDOWS\system32\openwith.exe"C:\Windows\SysWOW64\OpenWith.exe
myproject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOOBE-Maintenance.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
96 227
Read events
92 047
Write events
4 108
Delete events
72

Modification events

(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\project.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
218
Suspicious files
214
Text files
82
Unknown types
0

Dropped files

PID
Process
Filename
Type
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\myproject.exe
MD5:
SHA256:
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\MicrosoftEdgeUpdate.exeexecutable
MD5:136E8226D68856DA40A4F60E70581B72
SHA256:B4B8A2F87EE9C5F731189FE9F622CB9CD18FA3D55B0E8E0AE3C3A44A0833709F
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\msedgeupdate.dllexecutable
MD5:5D89123F9B96098D8FAD74108BDD5F7E
SHA256:03C3C918886E58F096AA8E919B1E9F8DCD5A9F2A4765971049BF8DA305476F44
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\subtools\qgif.dllexecutable
MD5:F9BA44BB98F048E3B2F7E72D42A1A852
SHA256:DF50647B02ABF30CDA040460E9BE6D903CC7A3D07FD79C229CE136997BEAFD96
4008myproject.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:45E5CA74B9AE3C3FC6F6A63C609783B6
SHA256:B4AFD37B9087DF7E041AE749FD0FA342926D9CCE533BDE9CDC4283132C3820A9
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\MicrosoftEdgeComRegisterShellARM64.exeexecutable
MD5:B69894FC1C3F26C77B1826EF8B5A9FC5
SHA256:B91BAD4C618EB6049B19364F62827470095E30519D07F4E0F2CCC387DDD5F1BF
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\MicrosoftEdgeUpdateOnDemand.exeexecutable
MD5:D0373E02A529653013865E392C417471
SHA256:D4CB47B4444BE38BB6DCADC8BC9CACC029CB73A66BC7AF152C1C4CA022446AA4
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\v8system.dllexecutable
MD5:ECEE079CB4CBDF0F01A6FEA56A307C36
SHA256:0424A29504A8F872497FA2D1274C9E84FB4635FA981FFABC04A113D848308070
368MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU35D8.tmp\MicrosoftEdgeUpdateBroker.exeexecutable
MD5:31E1C773732A9CD1AB781205E39CF865
SHA256:3E90C66D0D00E294B9B51EC3ED7F846975D93736D424DA3C253A2238E63CFB33
6608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6608.18612\project\vpk.signaturestext
MD5:FB6A4F87C60DDA8D575DBF03DE8819D4
SHA256:7F13BC2F7E9E134969F69920C4E6415934B5237505D6B6C7CF88A1AFA69DC141
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
46
DNS requests
31
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3708
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5724
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
812
svchost.exe
HEAD
200
2.19.126.157:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725456200&P2=404&P3=2&P4=QJIBdwkpMPofRZGIMeJxHAM3ZOPK4AOvJ1fUnPXn1m4ZhFOIKQhlDTq%2bl9SHJ8umxBkcR8sngJb41Gr05MacAg%3d%3d
unknown
whitelisted
5724
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
812
svchost.exe
GET
200
2.19.126.157:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725456200&P2=404&P3=2&P4=QJIBdwkpMPofRZGIMeJxHAM3ZOPK4AOvJ1fUnPXn1m4ZhFOIKQhlDTq%2bl9SHJ8umxBkcR8sngJb41Gr05MacAg%3d%3d
unknown
whitelisted
812
svchost.exe
HEAD
200
23.48.23.56:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a50df300-a388-43f2-a3cd-e7b7e11aaa7c?P1=1725368067&P2=404&P3=2&P4=TA5O79kaS4HJnQgwf%2fG1ta4KRMwzSgMkIXwemiqu5LfePPONT49vzqiwPw4gVz3wHgQCluKGo6Ij%2fdLptA0Ysw%3d%3d
unknown
whitelisted
812
svchost.exe
GET
206
23.48.23.56:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a50df300-a388-43f2-a3cd-e7b7e11aaa7c?P1=1725368067&P2=404&P3=2&P4=TA5O79kaS4HJnQgwf%2fG1ta4KRMwzSgMkIXwemiqu5LfePPONT49vzqiwPw4gVz3wHgQCluKGo6Ij%2fdLptA0Ysw%3d%3d
unknown
whitelisted
2660
myproject.exe
GET
200
147.45.47.37:1488
http://147.45.47.37:1488/moa/Tricky2.rar
unknown
suspicious
812
svchost.exe
GET
206
23.48.23.56:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a50df300-a388-43f2-a3cd-e7b7e11aaa7c?P1=1725368067&P2=404&P3=2&P4=TA5O79kaS4HJnQgwf%2fG1ta4KRMwzSgMkIXwemiqu5LfePPONT49vzqiwPw4gVz3wHgQCluKGo6Ij%2fdLptA0Ysw%3d%3d
unknown
whitelisted
2660
myproject.exe
GET
200
147.45.47.37:2001
http://147.45.47.37:2001/?reason=d29ya2VyODE2Y2htZWw=:MUQxRkIwQkItMjFCOS00RkMwLUIwMTctQTREQURBMjMxRTE3aWxvdmVpdA==
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
6160
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6260
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3708
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3708
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted

Threats

PID
Process
Class
Message
812
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2660
myproject.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
2660
myproject.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
2660
myproject.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host RAR Request
2660
myproject.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
1 ETPRO signatures available at the full report
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming directory exists )
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView directory exists )
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView directory exists )
msedgewebview2.exe
[0828/132632.367:ERROR:exception_handler_server.cc(529)] ConnectNamedPipe: The pipe is being closed. (0xE8)
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\myproject.exe\EBWebView directory exists )
msedgewebview2.exe
[0828/132633.288:ERROR:exception_handler_server.cc(529)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Haru01111/Black-Myth-Wukong-Repack/releases/download/Download/project.zip