Malware analysis Update.exe Malicious activity | ANY.RUN

Add for printing

File name:	Update.exe
Full analysis:	https://app.any.run/tasks/72abe701-ef46-43b0-a578-e5a8145598e4
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 02, 2025, 22:27:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	telegram stealer evasion possible-phishing phishing python trox
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	9F4DA868E82215F6DBFD6290D4FD3147
SHA1:	3950964203B653447AEECA8D9369883D8E4E9ECA
SHA256:	F79D3E8CC0DC415C3098CC877346992E30E4DCDB8FB1EF71B260016F853F1CAE
SSDEEP:	98304:GNFT9nfQagMIHS3Dg4A41K7hFK2tEDrnR8z8VziVLBHCPiwfsQRFm9LRG1uwOZxn:cX4Dn/BBgyvxAs7M0BE+jKbwGCs43F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- TROX has been detected
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7544)
- Starts NET.EXE for service management
  - cmd.exe (PID: 2432)
  - net.exe (PID: 5988)
  - net.exe (PID: 2980)
  - cmd.exe (PID: 5304)
- Actions looks like stealing of personal data
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- PHISHING has been detected (SURICATA)
  - svchost.exe (PID: 2196)
SUSPICIOUS
- The process creates files with name similar to system file names
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7544)
- Process drops python dynamic module
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7544)
- Process drops legitimate windows executable
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7316)
  - Update.exe (PID: 7544)
  - Update.exe (PID: 6676)
- Executable content was dropped or overwritten
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - Update.exe (PID: 7544)
  - Update.exe (PID: 6676)
  - Menu.exe (PID: 7244)
- The process drops C-runtime libraries
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
  - Update.exe (PID: 7544)
- Application launched itself
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7544)
- Loads Python modules
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- Starts CMD.EXE for commands execution
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - Update.exe (PID: 6676)
  - Menu.exe (PID: 7244)
- Uses WMIC.EXE to obtain physical disk drive information
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- Checks for external IP
  - svchost.exe (PID: 2196)
- Process drops SQLite DLL files
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- Reads security settings of Internet Explorer
  - Menu.exe (PID: 1472)
  - Update.exe (PID: 4700)
  - Menu.exe (PID: 7244)
- Get information on the list of running processes
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- Hides command output
  - cmd.exe (PID: 2244)
  - cmd.exe (PID: 6368)
- Uses TASKKILL.EXE to kill Browsers
  - cmd.exe (PID: 2244)
  - cmd.exe (PID: 6368)
INFO
- Checks supported languages
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - chrome_inject_x64.exe (PID: 8000)
  - Update.exe (PID: 6676)
  - Update.exe (PID: 7544)
  - Menu.exe (PID: 7244)
  - chrome_inject_x64.exe (PID: 1764)
- The sample compiled with english language support
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7316)
  - Update.exe (PID: 7544)
  - Update.exe (PID: 6676)
- Create files in a temporary directory
  - Update.exe (PID: 4700)
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - chrome_inject_x64.exe (PID: 8000)
  - Update.exe (PID: 6676)
  - Update.exe (PID: 7544)
  - Menu.exe (PID: 7244)
  - chrome_inject_x64.exe (PID: 1764)
- Reads the machine GUID from the registry
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - Update.exe (PID: 6676)
  - Menu.exe (PID: 7244)
- Reads the computer name
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - Update.exe (PID: 4700)
  - Menu.exe (PID: 7244)
  - Update.exe (PID: 6676)
- Checks operating system version
  - Update.exe (PID: 7316)
  - Update.exe (PID: 6676)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 1072)
  - WMIC.exe (PID: 5548)
- Creates files or folders in the user directory
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - Update.exe (PID: 6676)
  - Menu.exe (PID: 7244)
- Attempting to use instant messaging service
  - Update.exe (PID: 7316)
  - svchost.exe (PID: 2196)
  - Update.exe (PID: 6676)
- Checks proxy server information
  - Update.exe (PID: 7316)
  - Menu.exe (PID: 1472)
  - slui.exe (PID: 6464)
  - Update.exe (PID: 6676)
  - Menu.exe (PID: 7244)
- Manual execution by a user
  - Update.exe (PID: 7544)
  - notepad++.exe (PID: 6792)
- Reads the software policy settings
  - slui.exe (PID: 6464)
  - Menu.exe (PID: 1472)
  - Menu.exe (PID: 7244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:05:31 22:47:18+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	189952
InitializedDataSize:	16138240
UninitializedDataSize:	-
EntryPoint:	0x16604
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Microsoft Update Services
ProductName:	Google Chrome Helper
LegalCopyright:	┬® Microsoft Corporation
ProductVersion:	1.0.0.0
FileVersion:	1.0.0.0
OriginalFileName:	chrome_helper.exe
InternalName:	chrome_helper
FileDescription:	chrome_helper.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

167

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1072

wmic diskdrive get SerialNumber

C:\Windows\System32\wbem\WMIC.exe

—

Update.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

1132

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Menu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1472

C:\Users\admin\AppData\Local\Temp\oIbAGbL2Sz\Menu.exe 0 IrmVUJKPS10KZ1D

C:\Users\admin\AppData\Local\Temp\oIbAGbL2Sz\Menu.exe

Update.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

4294967295

Modules

Images
c:\users\admin\appdata\local\temp\oibagbl2sz\menu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\onefile_4700_133933768467710974\vcruntime140_1.dll

1512

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1616

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

WMIC.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1764

C:\Users\admin\AppData\Local\Temp\8fW3TQJmea\chrome_inject_x64.exe --method nt chrome

C:\Users\admin\AppData\Local\Temp\8fW3TQJmea\chrome_inject_x64.exe

—

Update.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\8fw3tqjmea\chrome_inject_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\rpcrt4.dll

2040

C:\WINDOWS\system32\cmd.exe /c "ver"

C:\Windows\System32\cmd.exe

—

Update.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

2088

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\chrome_decrypt_session.cfg

C:\Windows\System32\notepad.exe

—

OpenWith.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2244

C:\WINDOWS\system32\cmd.exe /c taskkill /f /im chrome.exe >nul 2>&1

C:\Windows\System32\cmd.exe

—

Menu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

6 278

Read events

6 263

Write events

Delete events

Modification events


(PID) Process:	(1472) Menu.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1472) Menu.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1472) Menu.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7244) Menu.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7244) Menu.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7244) Menu.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7276) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cfg\UserChoice
Operation:	write	Name:	ProgId
Value: Applications\notepad.exe
(PID) Process:	(7276) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cfg\UserChoice
Operation:	write	Name:	Hash
Value: CLskcBQzXt8=
(PID) Process:	(7276) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cfg\OpenWithProgids
Operation:	write	Name:	cfg_auto_file
Value:
(PID) Process:	(7276) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cfg\OpenWithList
Operation:	write	Name:	b
Value: NOTEPAD.EXE

Add for printing

Executable files

154

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_bz2.pyd		executable
		MD5:B45E82A398713163216984F2FEBA88F6	SHA256:4C2649DC69A8874B91646723AACB84C565EFEAA4277C46392055BCA9A10497A8
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\newsystem.dll		executable
		MD5:AF3DE6F535A4C6E88DB49456628EEF8B	SHA256:D0295DE816E93D5F8DBE62B978B6CABCAB1906923EB8102EB0794F361631EC3F
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_brotli.pyd		executable
		MD5:EE3D454883556A68920CAAEDEFBC1F83	SHA256:791E7195D7DF47A21466868F3D7386CFF13F16C51FCD0350BF4028E96278DFF1
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_queue.pyd		executable
		MD5:C9EE37E9F3BFFD296ADE10A27C7E5B50	SHA256:9ECEC72C5FE3C83C122043CAD8CEB80D239D99D03B8EA665490BBCED183CE42A
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_elementtree.pyd		executable
		MD5:1FECAC327FC93FC161833AD709336BBB	SHA256:16480EDE0430BE5249481A9BFB843EB0EF98F93B467A5428352FC23CC8C9051D
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_ctypes.pyd		executable
		MD5:79F339753DC8954B8EB45FE70910937E	SHA256:35CDD122679041EBEF264DE5626B7805F3F66C8AE6CC451B8BC520BE647FA007
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_cffi_backend.pyd		executable
		MD5:2BAAA98B744915339AE6C016B17C3763	SHA256:4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_decimal.pyd		executable
		MD5:1CDD7239FC63B7C8A2E2BC0A08D9EA76	SHA256:384993B2B8CFCBF155E63F0EE2383A9F9483DE92AB73736FF84590A0C4CA2690
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_hashlib.pyd		executable
		MD5:CFB9E0A73A6C9D6D35C2594E52E15234	SHA256:50DAEB3985302A8D85CE8167B0BF08B9DA43E7D51CEAE50E8E1CDFB0EDF218C6
4700	Update.exe	C:\Users\admin\AppData\Local\Temp\onefile_4700_133933768467710974\_ssl.pyd		executable
		MD5:11C5008E0BA2CAA8ADF7452F0AAAFD1E	SHA256:BF63F44951F14C9D0C890415D013276498D6D59E53811BBE2FA16825710BEA14

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7316	Update.exe	GET	—	142.250.185.132:80	http://www.google.com/	unknown	—	—	whitelisted
7572	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1472	Menu.exe	GET	200	192.124.249.41:80	http://crl.starfieldtech.com/sfroot-g2.crl	unknown	—	—	whitelisted
1472	Menu.exe	GET	200	151.101.3.3:80	http://ocsp.int-r1.certainly.com/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEnbQG4No9mE0fGLlixi0yFiWaQ%3D%3D	unknown	—	—	unknown
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7956	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7956	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6676	Update.exe	GET	—	142.250.184.228:80	http://www.google.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
616	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
7572	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7316	Update.exe	142.250.185.132:80	www.google.com	GOOGLE	US	whitelisted
7316	Update.exe	149.154.167.220:443	api.telegram.org	Telegram Messenger Inc	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
google.com	142.250.186.110	whitelisted
www.google.com	142.250.185.132 142.250.184.228	whitelisted
api.telegram.org	149.154.167.220	whitelisted
ipapi.co	104.26.9.44 104.26.8.44 172.67.69.226	shared
cdn.glitch.global	151.101.2.132 151.101.66.132 151.101.130.132 151.101.194.132	whitelisted
sincere-tender-savory.glitch.me	151.101.2.59 151.101.66.59 151.101.130.59 151.101.194.59	shared
crl.starfieldtech.com	192.124.249.41 192.124.249.31 192.124.249.36	whitelisted

Threats

PID	Process	Class	Message
7316	Update.exe	Attempted Information Leak	ET INFO Python-urllib/ Suspicious User Agent
2196	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
7316	Update.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7316	Update.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
7316	Update.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1472	Menu.exe	Misc activity	ET INFO Observed Online Application Hosting Domain (glitch .me in TLS SNI)
2196	svchost.exe	Misc activity	ET INFO DNS Query to Online Application Hosting Domain (glitch .me)
2196	svchost.exe	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Domain name pattern identified as Phishing (.glitch .me)
1472	Menu.exe	Possible Social Engineering Attempted	ET HUNTING Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing

Add for printing

No debug info

General Info

Update.exe

9F4DA868E82215F6DBFD6290D4FD3147

3950964203B653447AEECA8D9369883D8E4E9ECA

F79D3E8CC0DC415C3098CC877346992E30E4DCDB8FB1EF71B260016F853F1CAE

98304:GNFT9nfQagMIHS3Dg4A41K7hFK2tEDrnR8z8VziVLBHCPiwfsQRFm9LRG1uwOZxn:cX4Dn/BBgyvxAs7M0BE+jKbwGCs43F

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TROX has been detected

Starts NET.EXE for service management

Actions looks like stealing of personal data

PHISHING has been detected (SURICATA)

SUSPICIOUS

The process creates files with name similar to system file names

Process drops python dynamic module

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain physical disk drive information

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Checks for external IP

Process drops SQLite DLL files

Reads security settings of Internet Explorer

Get information on the list of running processes

Hides command output

Uses TASKKILL.EXE to kill Browsers

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Checks operating system version

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Attempting to use instant messaging service

Checks proxy server information

Manual execution by a user

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files