File name:

invalidkey.exe

Full analysis: https://app.any.run/tasks/989eeabf-b26b-4447-b695-a995c2fa3e34
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 18:54:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

9BC5C0638D9BB1CAE646F1D8937A3187

SHA1:

61926CAA575A03CC14407839E2D35F4808DA6736

SHA256:

E744C04BA8A24EE1351F668172A5600EA0517190D76B7A3930FF5F7805A46644

SSDEEP:

98304:EfBT3zY9SeSlGn64tm6RaOsFvX9LDy/oVPsUlM5vRhz8luUvAphjeDBa8zreE4+K:F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • alg.exe (PID: 2092)
      • AppVClient.exe (PID: 1012)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5776)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 1052)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • GameInputSvc.exe (PID: 7084)
      • FXSSVC.exe (PID: 6540)
      • GameInputSvc.exe (PID: 7192)
      • GoogleUpdate.exe (PID: 7300)
      • elevation_service.exe (PID: 7236)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • elevation_service.exe (PID: 7524)
      • maintenanceservice.exe (PID: 7620)
      • GoogleUpdate.exe (PID: 7576)
      • msdtc.exe (PID: 7684)
      • GoogleUpdate.exe (PID: 7740)
      • PerceptionSimulationService.exe (PID: 7880)
      • PSEXESVC.exe (PID: 8016)
      • Spectrum.exe (PID: 4784)
      • ssh-agent.exe (PID: 6240)
      • snmptrap.exe (PID: 8180)
      • SensorDataService.exe (PID: 8136)
      • Locator.exe (PID: 8068)
      • TieringEngineService.exe (PID: 7420)
      • AgentService.exe (PID: 7508)
      • vds.exe (PID: 7636)
      • VSSVC.exe (PID: 7608)
      • wbengine.exe (PID: 7940)
      • WmiApSrv.exe (PID: 7552)
      • SearchIndexer.exe (PID: 8224)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • GoogleUpdate.exe (PID: 8784)
      • MicrosoftEdgeUpdate.exe (PID: 8416)

    • M0YV has been detected (YARA)

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5776)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • GameInputSvc.exe (PID: 7084)
      • GameInputSvc.exe (PID: 7192)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • elevation_service.exe (PID: 7524)
      • msdtc.exe (PID: 7684)
      • alg.exe (PID: 2092)
      • elevation_service.exe (PID: 7236)

  • SUSPICIOUS

    • Executes as Windows Service

      • armsvc.exe (PID: 5008)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • alg.exe (PID: 2092)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5776)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • FXSSVC.exe (PID: 6540)
      • GameInputSvc.exe (PID: 7084)
      • GoogleUpdate.exe (PID: 7300)
      • maintenanceservice.exe (PID: 7620)
      • AppVClient.exe (PID: 1012)
      • msdtc.exe (PID: 7684)
      • PerceptionSimulationService.exe (PID: 7880)
      • PSEXESVC.exe (PID: 8016)
      • perfhost.exe (PID: 7980)
      • AgentService.exe (PID: 7508)
      • TieringEngineService.exe (PID: 7420)
      • ssh-agent.exe (PID: 6240)
      • Spectrum.exe (PID: 4784)
      • snmptrap.exe (PID: 8180)
      • SensorDataService.exe (PID: 8136)
      • Locator.exe (PID: 8068)
      • vds.exe (PID: 7636)
      • VSSVC.exe (PID: 7608)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • WmiApSrv.exe (PID: 7552)
      • wbengine.exe (PID: 7940)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 8976)
      • updater.exe (PID: 7628)
      • updater.exe (PID: 6248)

    • Starts CMD.EXE for commands execution

      • invalidkey.exe (PID: 5512)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • GameInputSvc.exe (PID: 7084)
      • GoogleUpdate.exe (PID: 7300)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • updater.exe (PID: 5364)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 8976)
      • updater.exe (PID: 4380)
      • updater.exe (PID: 7628)
      • updater.exe (PID: 6248)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5048)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7324)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7404)
      • MicrosoftEdgeUpdate.exe (PID: 1052)

    • Process drops legitimate windows executable

      • invalidkey.exe (PID: 5512)

    • Executable content was dropped or overwritten

      • invalidkey.exe (PID: 5512)
      • svchost.exe (PID: 7732)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 5364)
      • updater.exe (PID: 7628)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 7732)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 7732)

    • There is functionality for taking screenshot (YARA)

      • GoogleUpdate.exe (PID: 7456)

    • Connects to the server without a host name

      • armsvc.exe (PID: 5008)
      • invalidkey.exe (PID: 5512)

  • INFO

    • Creates files or folders in the user directory

      • invalidkey.exe (PID: 5512)
      • GoogleUpdate.exe (PID: 7576)

    • Checks supported languages

      • armsvc.exe (PID: 5008)
      • invalidkey.exe (PID: 5512)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 1052)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5048)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7324)
      • elevation_service.exe (PID: 7236)
      • GoogleUpdate.exe (PID: 7300)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7404)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • elevation_service.exe (PID: 7524)
      • maintenanceservice.exe (PID: 7620)
      • GoogleCrashHandler.exe (PID: 7604)
      • GoogleUpdate.exe (PID: 7576)
      • GoogleUpdate.exe (PID: 7740)
      • GoogleCrashHandler64.exe (PID: 7672)
      • PSEXESVC.exe (PID: 8016)
      • ssh-agent.exe (PID: 6240)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • MicrosoftEdgeUpdate.exe (PID: 8416)
      • GoogleUpdate.exe (PID: 8784)

    • Reads the computer name

      • armsvc.exe (PID: 5008)
      • invalidkey.exe (PID: 5512)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • MicrosoftEdgeUpdate.exe (PID: 1052)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5048)
      • GoogleUpdate.exe (PID: 7300)
      • elevation_service.exe (PID: 7236)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7404)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7324)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • GoogleUpdate.exe (PID: 7576)
      • elevation_service.exe (PID: 7524)
      • maintenanceservice.exe (PID: 7620)
      • GoogleCrashHandler.exe (PID: 7604)
      • GoogleUpdate.exe (PID: 7740)
      • GoogleCrashHandler64.exe (PID: 7672)
      • PSEXESVC.exe (PID: 8016)
      • ssh-agent.exe (PID: 6240)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • MicrosoftEdgeUpdate.exe (PID: 8416)
      • GoogleUpdate.exe (PID: 8784)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 6540)
      • GoogleUpdate.exe (PID: 7300)
      • GoogleUpdate.exe (PID: 7456)
      • GoogleUpdate.exe (PID: 7576)
      • maintenanceservice.exe (PID: 7620)
      • GoogleUpdate.exe (PID: 7740)
      • SearchIndexer.exe (PID: 8224)
      • GoogleUpdate.exe (PID: 8784)

    • Executes as Windows Service

      • elevation_service.exe (PID: 7236)
      • elevation_service.exe (PID: 7524)
      • SearchIndexer.exe (PID: 8224)

    • Checks proxy server information

      • invalidkey.exe (PID: 5512)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 7192)
      • GoogleUpdate.exe (PID: 7576)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • GoogleUpdate.exe (PID: 8784)
      • MicrosoftEdgeUpdate.exe (PID: 8416)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 7684)

    • The sample compiled with english language support

      • invalidkey.exe (PID: 5512)
      • svchost.exe (PID: 7732)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 5364)
      • updater.exe (PID: 7628)

    • Reads the time zone

      • TieringEngineService.exe (PID: 7420)

    • Reads the machine GUID from the registry

      • GoogleUpdate.exe (PID: 7576)
      • GoogleUpdate.exe (PID: 8784)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 8416)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 8496)
      • SearchFilterHost.exe (PID: 8524)

    • The sample compiled with bulgarian language support

      • invalidkey.exe (PID: 5512)

    • Create files in a temporary directory

      • svchost.exe (PID: 7732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Clipper DOS Executable (33.5)
.exe | Generic Win/DOS Executable (33.2)
.exe | DOS Executable Generic (33.2)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:14 11:29:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2479104
InitializedDataSize: 1528320
UninitializedDataSize: -
EntryPoint: 0x25ce6c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
65
Malicious processes
38
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #M0YV invalidkey.exe conhost.exe no specs #M0YV armsvc.exe #M0YV flashplayerupdateservice.exe no specs cmd.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV fxssvc.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV gameinputsvc.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV googleupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe googlecrashhandler.exe no specs #M0YV maintenanceservice.exe no specs googlecrashhandler64.exe no specs #M0YV msdtc.exe no specs #M0YV googleupdate.exe no specs #M0YV perceptionsimulationservice.exe no specs perfhost.exe no specs #M0YV psexesvc.exe no specs #M0YV locator.exe no specs #M0YV sensordataservice.exe no specs #M0YV snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs #M0YV tieringengineservice.exe no specs #M0YV agentservice.exe no specs #M0YV vds.exe no specs #M0YV vssvc.exe no specs #M0YV wbengine.exe no specs #M0YV wmiapsrv.exe no specs #M0YV searchindexer.exe no specs svchost.exe #M0YV microsoftedgeupdate.exe #M0YV microsoftedgeupdate.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs Delivery Optimization User no specs #M0YV googleupdate.exe svchost.exe slui.exe updatersetup.exe no specs googleupdate.exe updater.exe updater.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs invalidkey.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1012C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
1020"C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=138.0.7194.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2b4,0x2b8,0x2bc,0x2b0,0x2c0,0x140609ff8,0x14060a004,0x14060a010C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater (x64)
Version:
138.0.7194.0
Modules
Images
c:\program files (x86)\google\googleupdater\138.0.7194.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1052"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1128"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi41MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9Ins5QkEyRkMwRS0yMUVDLTRFNjAtODQwRi1FQzVFNTM2NTM0NTJ9IiBpbnN0YWxsc291cmNlPSJjb3JlIiByZXF1ZXN0aWQ9InsyNzhGRUNDQi0yMThFLTQwRTItOEM5Ni05NjZEQzNDMjZCM0J9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDUuNDA0NiIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zNi4zNzIiIG5leHR2ZXJzaW9uPSIxMzguMC43MTk0LjAiIGxhbmc9IiIgYnJhbmQ9IkdDRUIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxNDEwIiBpbnN0YWxsZGF0ZT0iNjI2NSIgY29ob3J0PSIxOjJkM2Y6IiBjb2hvcnRuYW1lPSJPbWFoYSAzLCBLZXlzdG9uZSwgYW5kIFJlY292ZXJ5Ij48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvdXBkYXRlMi9hY3N6dWF4Y3RueW1vb3loZDZjcnFsaHEyNWRhXzEzOC4wLjcxOTQuMC9VcGRhdGVyU2V0dXAuZXhlIiBkb3dubG9hZGVkPSIxMzE4ODk5MiIgdG90YWw9IjEzMTg4OTkyIiBkb3dubG9hZF90aW1lX21zPSI3MDM0MyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIyLjAuNjI2MS43MCIgbmV4dHZlcnNpb249IiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMCIgbGFuZz0iIiBicmFuZD0iR0NFQiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE0MTAiIGluc3RhbGxkYXRlPSI2MjY1IiBjb2hvcnQ9IjE6Z3U6IiBjb2hvcnRuYW1lPSJTdGFibGUiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSI5IiBlcnJvcmNvZGU9Ii0xNjA2MjE5NzQ4IiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2088C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
services.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2092C:\WINDOWS\System32\alg.exeC:\Windows\System32\alg.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Application Layer Gateway Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\alg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2420"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /cC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3784\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeinvalidkey.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4380"C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater (x64)
Version:
138.0.7194.0
Modules
Images
c:\program files (x86)\google\googleupdater\138.0.7194.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
Total events
49 997
Read events
43 680
Write events
6 228
Delete events
89

Modification events

(PID) Process:(5512) invalidkey.exeKey:HKEY_LOCAL_MACHINE\AmCacheTmp\Root\InventoryApplicationFile\invalidkey.exe|ee3cb1536a3988af
Operation:delete keyName:(default)
Value:
(PID) Process:(5008) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1097437
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:writeName:RedirectionGuard
Value:
1
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Password
Value:
00
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:delete valueName:Password
Value:
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Server
Value:
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:From
Value:
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:User
Value:
(PID) Process:(5048) MicrosoftEdgeUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(5048) MicrosoftEdgeUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
152
Suspicious files
19
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
5008armsvc.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:7EF579791DBC783BA085D52ECE4BAFB2
SHA256:CF5A0E887C434A31254BE97B639DBDC2377860BB9B6E9365BDC6B01CCA69196B
5512invalidkey.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:9253B48958260B85C61C97699036C7E4
SHA256:FC9EC480DC1A192372B0C242F3E1F472D908B5A80D9A43BCD41E0AE3C254C0CA
5512invalidkey.exeC:\Windows\System32\AppVClient.exeexecutable
MD5:DCD7027AFC512FE8467E7DFAA3B817B9
SHA256:B5AD3C150E9CE7CD927C1F72C2765D0B3D9ADBBD7FB30DA33515B0B9E148DF76
5512invalidkey.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:F06E2AC0091C21FE99CF3C55DE7A38C2
SHA256:2B453E60744D344BFDAF92A03CD507BFEF2150302B9595650EAE2413C40987C5
5512invalidkey.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:D30D617A7C7D3AE421231785E0069329
SHA256:EE235186638B30A62DB0F348BDCA244E0AAAF20C1D76978DCA15A5B941AA9650
5512invalidkey.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:51FE3BA791006D47B93A5C1B40FDA0EC
SHA256:B75B764CE2426EA44798CF8D81AC685376926A4D6D2F90F7EA6F087B19E512B1
5512invalidkey.exeC:\Windows\System32\alg.exeexecutable
MD5:C6B66ABD4492BE76AAC5E6A5BD416206
SHA256:CD005611408EA2BA22A639C7AF956765ABCC4C6618E61161C02837B22B25809B
5512invalidkey.exeC:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exeexecutable
MD5:F6DF3F3BE17861B3B938BC050678DE52
SHA256:DDBCA9CE3FE78A58F5BCAF65E9989922EB724AD0E7846A4CAD23D117ECE100BA
5512invalidkey.exeC:\Program Files (x86)\Google\Update\GoogleUpdate.exeexecutable
MD5:60A5B6A5A25BC674EBB64587032EED94
SHA256:5B81DA812C379E8562C1EBF5CB0CEA695E80CD0B30762A620B9D1C5BB6FB9EE6
5512invalidkey.exeC:\Windows\System32\FXSSVC.exeexecutable
MD5:6215FB3AD60E993DCE4888C8FD71BF09
SHA256:C21FFCFB75E75287AE5E20D04D7D4C519663DF83B256E17B1444AC11509A2CC2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
633
TCP/UDP connections
144
DNS requests
116
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5008
armsvc.exe
POST
200
18.234.103.197:80
http://ssbzmoy.biz/tfccv
unknown
unknown
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
5008
armsvc.exe
POST
200
52.11.240.239:80
http://pywolwnvd.biz/lmrtexxsvifual
unknown
malicious
5008
armsvc.exe
POST
200
52.11.240.239:80
http://cvgrf.biz/rn
unknown
malicious
5512
invalidkey.exe
POST
200
52.11.240.239:80
http://cvgrf.biz/vjvfhisukqe
unknown
malicious
GET
204
142.250.185.110:443
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.372&applang=&machine=1&version=1.3.36.372&userid=&osversion=10.0&servicepack=
unknown
unknown
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
5008
armsvc.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/ogofgppnuk
unknown
malicious
5512
invalidkey.exe
POST
200
172.233.219.123:80
http://przvgke.biz/phrgdqqcu
unknown
unknown
5512
invalidkey.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/kxcdbg
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5048
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5048
RUXIMICS.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5048
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5512
invalidkey.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
5008
armsvc.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
5512
invalidkey.exe
18.234.103.197:80
ssbzmoy.biz
AMAZON-AES
US
malicious
5008
armsvc.exe
18.234.103.197:80
ssbzmoy.biz
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.183
  • 23.48.23.181
  • 23.48.23.178
  • 23.48.23.171
  • 23.48.23.174
  • 23.48.23.179
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
pywolwnvd.biz
  • 52.11.240.239
malicious
ssbzmoy.biz
  • 18.234.103.197
unknown
cvgrf.biz
  • 52.11.240.239
malicious
login.live.com
  • 40.126.31.71
  • 40.126.31.3
  • 40.126.31.129
  • 40.126.31.0
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.130
  • 20.190.159.75
whitelisted
npukfztj.biz
  • 3.229.117.57
malicious
clients2.google.com
  • 172.217.18.14
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
7732
svchost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7732
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
5512
invalidkey.exe
Misc activity
ET INFO Namecheap URL Forward
5008
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
invalidkey.exe