File name:

invalidkey.exe

Full analysis: https://app.any.run/tasks/989eeabf-b26b-4447-b695-a995c2fa3e34
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 18:54:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

9BC5C0638D9BB1CAE646F1D8937A3187

SHA1:

61926CAA575A03CC14407839E2D35F4808DA6736

SHA256:

E744C04BA8A24EE1351F668172A5600EA0517190D76B7A3930FF5F7805A46644

SSDEEP:

98304:EfBT3zY9SeSlGn64tm6RaOsFvX9LDy/oVPsUlM5vRhz8luUvAphjeDBa8zreE4+K:F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • alg.exe (PID: 2092)
      • AppVClient.exe (PID: 1012)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5776)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • FXSSVC.exe (PID: 6540)
      • MicrosoftEdgeUpdate.exe (PID: 1052)
      • GameInputSvc.exe (PID: 7084)
      • GameInputSvc.exe (PID: 7192)
      • elevation_service.exe (PID: 7236)
      • GoogleUpdate.exe (PID: 7300)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • elevation_service.exe (PID: 7524)
      • GoogleUpdate.exe (PID: 7576)
      • maintenanceservice.exe (PID: 7620)
      • msdtc.exe (PID: 7684)
      • GoogleUpdate.exe (PID: 7740)
      • PerceptionSimulationService.exe (PID: 7880)
      • PSEXESVC.exe (PID: 8016)
      • Locator.exe (PID: 8068)
      • SensorDataService.exe (PID: 8136)
      • snmptrap.exe (PID: 8180)
      • Spectrum.exe (PID: 4784)
      • ssh-agent.exe (PID: 6240)
      • TieringEngineService.exe (PID: 7420)
      • AgentService.exe (PID: 7508)
      • vds.exe (PID: 7636)
      • VSSVC.exe (PID: 7608)
      • wbengine.exe (PID: 7940)
      • SearchIndexer.exe (PID: 8224)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • MicrosoftEdgeUpdate.exe (PID: 8416)
      • GoogleUpdate.exe (PID: 8784)
      • WmiApSrv.exe (PID: 7552)

    • M0YV has been detected (YARA)

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)
      • alg.exe (PID: 2092)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5776)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • GameInputSvc.exe (PID: 7084)
      • GameInputSvc.exe (PID: 7192)
      • elevation_service.exe (PID: 7236)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • elevation_service.exe (PID: 7524)
      • msdtc.exe (PID: 7684)

  • SUSPICIOUS

    • Executes as Windows Service

      • armsvc.exe (PID: 5008)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • alg.exe (PID: 2092)
      • AppVClient.exe (PID: 1012)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5776)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • FXSSVC.exe (PID: 6540)
      • GameInputSvc.exe (PID: 7084)
      • GoogleUpdate.exe (PID: 7300)
      • maintenanceservice.exe (PID: 7620)
      • msdtc.exe (PID: 7684)
      • PerceptionSimulationService.exe (PID: 7880)
      • perfhost.exe (PID: 7980)
      • PSEXESVC.exe (PID: 8016)
      • Locator.exe (PID: 8068)
      • SensorDataService.exe (PID: 8136)
      • snmptrap.exe (PID: 8180)
      • Spectrum.exe (PID: 4784)
      • ssh-agent.exe (PID: 6240)
      • TieringEngineService.exe (PID: 7420)
      • AgentService.exe (PID: 7508)
      • vds.exe (PID: 7636)
      • VSSVC.exe (PID: 7608)
      • wbengine.exe (PID: 7940)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • GoogleUpdate.exe (PID: 8784)
      • WmiApSrv.exe (PID: 7552)
      • updater.exe (PID: 8976)
      • updater.exe (PID: 7628)
      • updater.exe (PID: 6248)

    • Starts CMD.EXE for commands execution

      • invalidkey.exe (PID: 5512)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • GameInputSvc.exe (PID: 7084)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • GoogleUpdate.exe (PID: 7300)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • updater.exe (PID: 5364)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 8976)
      • updater.exe (PID: 4380)
      • updater.exe (PID: 7628)
      • updater.exe (PID: 6248)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5048)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7324)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7404)
      • MicrosoftEdgeUpdate.exe (PID: 1052)

    • Process drops legitimate windows executable

      • invalidkey.exe (PID: 5512)

    • Executable content was dropped or overwritten

      • invalidkey.exe (PID: 5512)
      • svchost.exe (PID: 7732)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 5364)
      • updater.exe (PID: 7628)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 7732)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 7732)

    • There is functionality for taking screenshot (YARA)

      • GoogleUpdate.exe (PID: 7456)

    • Connects to the server without a host name

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)

  • INFO

    • Checks supported languages

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • MicrosoftEdgeUpdate.exe (PID: 1052)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5048)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • elevation_service.exe (PID: 7236)
      • GoogleUpdate.exe (PID: 7300)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7324)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7404)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • elevation_service.exe (PID: 7524)
      • maintenanceservice.exe (PID: 7620)
      • GoogleCrashHandler.exe (PID: 7604)
      • GoogleCrashHandler64.exe (PID: 7672)
      • GoogleUpdate.exe (PID: 7576)
      • GoogleUpdate.exe (PID: 7740)
      • PSEXESVC.exe (PID: 8016)
      • ssh-agent.exe (PID: 6240)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • MicrosoftEdgeUpdate.exe (PID: 8416)
      • GoogleUpdate.exe (PID: 8784)

    • Creates files or folders in the user directory

      • invalidkey.exe (PID: 5512)
      • GoogleUpdate.exe (PID: 7576)

    • Reads the computer name

      • invalidkey.exe (PID: 5512)
      • armsvc.exe (PID: 5008)
      • FlashPlayerUpdateService.exe (PID: 2088)
      • MicrosoftEdgeUpdate.exe (PID: 5504)
      • MicrosoftEdgeUpdate.exe (PID: 2420)
      • MicrosoftEdgeUpdate.exe (PID: 1052)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5048)
      • elevation_service.exe (PID: 7236)
      • GoogleUpdate.exe (PID: 7300)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7324)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7404)
      • GoogleUpdate.exe (PID: 7456)
      • MicrosoftEdgeUpdate.exe (PID: 7468)
      • GoogleUpdate.exe (PID: 7576)
      • elevation_service.exe (PID: 7524)
      • GoogleCrashHandler.exe (PID: 7604)
      • GoogleUpdate.exe (PID: 7740)
      • GoogleCrashHandler64.exe (PID: 7672)
      • maintenanceservice.exe (PID: 7620)
      • PSEXESVC.exe (PID: 8016)
      • ssh-agent.exe (PID: 6240)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • MicrosoftEdgeUpdate.exe (PID: 8416)
      • GoogleUpdate.exe (PID: 8784)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 6540)
      • GoogleUpdate.exe (PID: 7300)
      • GoogleUpdate.exe (PID: 7456)
      • GoogleUpdate.exe (PID: 7576)
      • maintenanceservice.exe (PID: 7620)
      • GoogleUpdate.exe (PID: 7740)
      • SearchIndexer.exe (PID: 8224)
      • GoogleUpdate.exe (PID: 8784)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 7192)
      • GoogleUpdate.exe (PID: 7576)
      • MicrosoftEdgeUpdate.exe (PID: 8416)
      • MicrosoftEdgeUpdate.exe (PID: 8352)
      • GoogleUpdate.exe (PID: 8784)

    • Executes as Windows Service

      • elevation_service.exe (PID: 7236)
      • elevation_service.exe (PID: 7524)
      • SearchIndexer.exe (PID: 8224)

    • Checks proxy server information

      • invalidkey.exe (PID: 5512)

    • The sample compiled with english language support

      • invalidkey.exe (PID: 5512)
      • svchost.exe (PID: 7732)
      • GoogleUpdate.exe (PID: 8784)
      • updater.exe (PID: 5364)
      • updater.exe (PID: 7628)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 7684)

    • Reads the machine GUID from the registry

      • GoogleUpdate.exe (PID: 7576)
      • GoogleUpdate.exe (PID: 8784)

    • Reads the time zone

      • TieringEngineService.exe (PID: 7420)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 8416)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 8496)
      • SearchFilterHost.exe (PID: 8524)

    • The sample compiled with bulgarian language support

      • invalidkey.exe (PID: 5512)

    • Create files in a temporary directory

      • svchost.exe (PID: 7732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Clipper DOS Executable (33.5)
.exe | Generic Win/DOS Executable (33.2)
.exe | DOS Executable Generic (33.2)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:14 11:29:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2479104
InitializedDataSize: 1528320
UninitializedDataSize: -
EntryPoint: 0x25ce6c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
65
Malicious processes
38
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #M0YV invalidkey.exe conhost.exe no specs #M0YV armsvc.exe #M0YV flashplayerupdateservice.exe no specs cmd.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV fxssvc.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV gameinputsvc.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV googleupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe googlecrashhandler.exe no specs #M0YV maintenanceservice.exe no specs googlecrashhandler64.exe no specs #M0YV msdtc.exe no specs #M0YV googleupdate.exe no specs #M0YV perceptionsimulationservice.exe no specs perfhost.exe no specs #M0YV psexesvc.exe no specs #M0YV locator.exe no specs #M0YV sensordataservice.exe no specs #M0YV snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs #M0YV tieringengineservice.exe no specs #M0YV agentservice.exe no specs #M0YV vds.exe no specs #M0YV vssvc.exe no specs #M0YV wbengine.exe no specs #M0YV wmiapsrv.exe no specs #M0YV searchindexer.exe no specs svchost.exe #M0YV microsoftedgeupdate.exe #M0YV microsoftedgeupdate.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs Delivery Optimization User no specs #M0YV googleupdate.exe svchost.exe slui.exe updatersetup.exe no specs googleupdate.exe updater.exe updater.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs invalidkey.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1012C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
1020"C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=138.0.7194.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2b4,0x2b8,0x2bc,0x2b0,0x2c0,0x140609ff8,0x14060a004,0x14060a010C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater (x64)
Version:
138.0.7194.0
Modules
Images
c:\program files (x86)\google\googleupdater\138.0.7194.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1052"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1128"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi41MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9Ins5QkEyRkMwRS0yMUVDLTRFNjAtODQwRi1FQzVFNTM2NTM0NTJ9IiBpbnN0YWxsc291cmNlPSJjb3JlIiByZXF1ZXN0aWQ9InsyNzhGRUNDQi0yMThFLTQwRTItOEM5Ni05NjZEQzNDMjZCM0J9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDUuNDA0NiIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zNi4zNzIiIG5leHR2ZXJzaW9uPSIxMzguMC43MTk0LjAiIGxhbmc9IiIgYnJhbmQ9IkdDRUIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxNDEwIiBpbnN0YWxsZGF0ZT0iNjI2NSIgY29ob3J0PSIxOjJkM2Y6IiBjb2hvcnRuYW1lPSJPbWFoYSAzLCBLZXlzdG9uZSwgYW5kIFJlY292ZXJ5Ij48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvdXBkYXRlMi9hY3N6dWF4Y3RueW1vb3loZDZjcnFsaHEyNWRhXzEzOC4wLjcxOTQuMC9VcGRhdGVyU2V0dXAuZXhlIiBkb3dubG9hZGVkPSIxMzE4ODk5MiIgdG90YWw9IjEzMTg4OTkyIiBkb3dubG9hZF90aW1lX21zPSI3MDM0MyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIyLjAuNjI2MS43MCIgbmV4dHZlcnNpb249IiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMCIgbGFuZz0iIiBicmFuZD0iR0NFQiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE0MTAiIGluc3RhbGxkYXRlPSI2MjY1IiBjb2hvcnQ9IjE6Z3U6IiBjb2hvcnRuYW1lPSJTdGFibGUiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSI5IiBlcnJvcmNvZGU9Ii0xNjA2MjE5NzQ4IiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2088C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
services.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2092C:\WINDOWS\System32\alg.exeC:\Windows\System32\alg.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Application Layer Gateway Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\alg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2420"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /cC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3784\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeinvalidkey.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4380"C:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\138.0.7194.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater (x64)
Version:
138.0.7194.0
Modules
Images
c:\program files (x86)\google\googleupdater\138.0.7194.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
Total events
49 997
Read events
43 680
Write events
6 228
Delete events
89

Modification events

(PID) Process:(5512) invalidkey.exeKey:HKEY_LOCAL_MACHINE\AmCacheTmp\Root\InventoryApplicationFile\invalidkey.exe|ee3cb1536a3988af
Operation:delete keyName:(default)
Value:
(PID) Process:(5008) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1097437
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:writeName:RedirectionGuard
Value:
1
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Password
Value:
00
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:delete valueName:Password
Value:
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Server
Value:
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:From
Value:
(PID) Process:(6540) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:User
Value:
(PID) Process:(5048) MicrosoftEdgeUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(5048) MicrosoftEdgeUpdateComRegisterShell64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
152
Suspicious files
19
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
5512invalidkey.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:9253B48958260B85C61C97699036C7E4
SHA256:FC9EC480DC1A192372B0C242F3E1F472D908B5A80D9A43BCD41E0AE3C254C0CA
5512invalidkey.exeC:\Program Files (x86)\Google\Update\GoogleUpdate.exeexecutable
MD5:60A5B6A5A25BC674EBB64587032EED94
SHA256:5B81DA812C379E8562C1EBF5CB0CEA695E80CD0B30762A620B9D1C5BB6FB9EE6
5512invalidkey.exeC:\Windows\System32\msdtc.exeexecutable
MD5:5A0195F2D4DF8CC13ABDAE47B4ED0A64
SHA256:DC957C3C93C18F25C87AC7C92DD8CFF6E50F3F75799CCC0E070DE073A8E9A06E
7732svchost.exeC:\ProgramData\Microsoft\Network\Downloader\qmgr.dbbinary
MD5:EC9918FA0CCD0007ED6D383D793C5512
SHA256:2180260D7F92317E51FE47D8DF9071642ABB8B8A9780ED94130A274504C56854
7620maintenanceservice.exeC:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logtext
MD5:9954C0658A54950173A4F4238EEDB0F8
SHA256:DB3DB01FC1231F44E4DBF6E985A6C6138289C992A56AD81FAABB867B17C6A988
5512invalidkey.exeC:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeexecutable
MD5:1913D0D5BD7B7FA4CEB63DFF742341CE
SHA256:F413FBD4756D672921307C7B3C4B8FF12E23C8DB94376B6EAD821D3F0E1136D3
5512invalidkey.exeC:\Windows\System32\msiexec.exeexecutable
MD5:5DDB9F02651C4699AF39408F08AE4439
SHA256:2AE24C72166B71F733E557418DEDDE77BC2F31C8137F9CDD7D17A1A63032D6E9
5008armsvc.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:7EF579791DBC783BA085D52ECE4BAFB2
SHA256:CF5A0E887C434A31254BE97B639DBDC2377860BB9B6E9365BDC6B01CCA69196B
5512invalidkey.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:50F7861234C0F5BD313810B3B8DD97C6
SHA256:0932CF663B43667E47D751CA12C717DF432784E7E61A0A49A2073FF9DE70B0C4
5512invalidkey.exeC:\Windows\System32\alg.exeexecutable
MD5:C6B66ABD4492BE76AAC5E6A5BD416206
SHA256:CD005611408EA2BA22A639C7AF956765ABCC4C6618E61161C02837B22B25809B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
633
TCP/UDP connections
144
DNS requests
116
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5512
invalidkey.exe
POST
200
172.233.219.123:80
http://przvgke.biz/phrgdqqcu
unknown
unknown
5008
armsvc.exe
POST
200
172.233.219.123:80
http://przvgke.biz/mtxbq
unknown
unknown
5008
armsvc.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/ogofgppnuk
unknown
malicious
5512
invalidkey.exe
POST
200
172.233.219.123:80
http://przvgke.biz/bmprxjucnyhrxw
unknown
unknown
5008
armsvc.exe
POST
172.233.219.123:80
http://przvgke.biz/ahtcrnrxwciqalao
unknown
unknown
5512
invalidkey.exe
POST
302
192.64.119.165:80
http://anpmnmxo.biz/bufmnimcsv
unknown
unknown
5512
invalidkey.exe
POST
200
18.234.103.197:80
http://knjghuig.biz/olpjlxe
unknown
malicious
5008
armsvc.exe
POST
200
18.234.103.197:80
http://knjghuig.biz/gayhihjper
unknown
malicious
5048
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5048
RUXIMICS.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5048
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5048
RUXIMICS.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5048
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5512
invalidkey.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
5008
armsvc.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
5512
invalidkey.exe
18.234.103.197:80
ssbzmoy.biz
AMAZON-AES
US
malicious
5008
armsvc.exe
18.234.103.197:80
ssbzmoy.biz
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.183
  • 23.48.23.181
  • 23.48.23.178
  • 23.48.23.171
  • 23.48.23.174
  • 23.48.23.179
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
pywolwnvd.biz
  • 52.11.240.239
malicious
ssbzmoy.biz
  • 18.234.103.197
unknown
cvgrf.biz
  • 52.11.240.239
malicious
login.live.com
  • 40.126.31.71
  • 40.126.31.3
  • 40.126.31.129
  • 40.126.31.0
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.130
  • 20.190.159.75
whitelisted
npukfztj.biz
  • 3.229.117.57
malicious
clients2.google.com
  • 172.217.18.14
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
7732
svchost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7732
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
5512
invalidkey.exe
Misc activity
ET INFO Namecheap URL Forward
5008
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
invalidkey.exe