File name:

Uninstall.exe

Full analysis: https://app.any.run/tasks/e87ac8e1-65d6-4f19-b2a3-58222b97042b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 01:27:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
expiro
sinkhole
m0yv
stealer
loader
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

C6518571CCEFF45660016E694CF1FBC9

SHA1:

8426C78ECE90B4734001076CBA36631F3ACF8B69

SHA256:

FBC07F59B8891077D9F83D9D483819C11843F20ED69E443C1073C713BA5C2AE8

SSDEEP:

49152:e6JuY1F4SpdjARBZfUb79ggtwHQxvWds56a2HtUdsvYPeHwM8L+Qc82zUABfkUV6:e4tPdjF9ggtXxvgs56aA0svAe4cEABfS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • Uninstall.exe (PID: 6760)
      • FlashPlayerUpdateService.exe (PID: 6792)
      • AppVClient.exe (PID: 6864)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • GameInputSvc.exe (PID: 4816)
      • GameInputSvc.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • elevation_service.exe (PID: 6388)
      • GoogleUpdate.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6300)
      • elevation_service.exe (PID: 6344)
      • GoogleUpdate.exe (PID: 6376)
      • maintenanceservice.exe (PID: 6536)
      • GoogleUpdate.exe (PID: 6372)
      • PerceptionSimulationService.exe (PID: 6792)
      • perfhost.exe (PID: 6892)
      • PSEXESVC.exe (PID: 6440)
      • Spectrum.exe (PID: 6224)
      • ssh-agent.exe (PID: 6560)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • GoogleUpdate.exe (PID: 7404)

    • M0YV has been detected (YARA)

      • alg.exe (PID: 6828)
      • Uninstall.exe (PID: 6760)
      • PerceptionSimulationService.exe (PID: 6792)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • GameInputSvc.exe (PID: 6880)
      • GameInputSvc.exe (PID: 4816)
      • elevation_service.exe (PID: 6388)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6300)
      • msdtc.exe (PID: 6612)
      • elevation_service.exe (PID: 6344)

    • Connects to the CnC server

      • Uninstall.exe (PID: 6760)

    • EXPIRO has been detected (SURICATA)

      • Uninstall.exe (PID: 6760)

    • Expiro has been found (SURICATA)

      • Uninstall.exe (PID: 6760)

    • Request for a sinkholed resource

      • Uninstall.exe (PID: 6760)

    • Actions looks like stealing of personal data

      • Uninstall.exe (PID: 6760)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Uninstall.exe (PID: 6760)
      • GoogleUpdate.exe (PID: 7800)
      • updater.exe (PID: 1072)

    • Executes as Windows Service

      • FlashPlayerUpdateService.exe (PID: 6792)
      • alg.exe (PID: 6828)
      • AppVClient.exe (PID: 6864)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • FXSSVC.exe (PID: 6644)
      • GameInputSvc.exe (PID: 6880)
      • GoogleUpdate.exe (PID: 6208)
      • maintenanceservice.exe (PID: 6536)
      • msdtc.exe (PID: 6612)
      • PerceptionSimulationService.exe (PID: 6792)
      • Locator.exe (PID: 7136)
      • perfhost.exe (PID: 6892)
      • PSEXESVC.exe (PID: 6440)
      • snmptrap.exe (PID: 6332)
      • SensorDataService.exe (PID: 6460)
      • Spectrum.exe (PID: 6224)
      • ssh-agent.exe (PID: 6560)
      • TieringEngineService.exe (PID: 6368)
      • vds.exe (PID: 7232)
      • AgentService.exe (PID: 7204)
      • wbengine.exe (PID: 7312)
      • WmiApSrv.exe (PID: 7356)
      • VSSVC.exe (PID: 7256)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • GoogleUpdate.exe (PID: 7800)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • GameInputSvc.exe (PID: 6880)
      • GoogleUpdate.exe (PID: 6208)
      • GoogleUpdate.exe (PID: 6300)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • GoogleUpdate.exe (PID: 7800)
      • updater.exe (PID: 1072)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6720)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4760)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1356)

    • Process drops legitimate windows executable

      • Uninstall.exe (PID: 6760)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)

    • Executable content was dropped or overwritten

      • Uninstall.exe (PID: 6760)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • GoogleUpdate.exe (PID: 7800)
      • updater.exe (PID: 1072)

    • Contacting a server suspected of hosting an CnC

      • Uninstall.exe (PID: 6760)

    • Potential Corporate Privacy Violation

      • GoogleUpdate.exe (PID: 7800)

    • Process requests binary or script from the Internet

      • GoogleUpdate.exe (PID: 7800)

  • INFO

    • Reads the computer name

      • Uninstall.exe (PID: 6760)
      • FlashPlayerUpdateService.exe (PID: 6792)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6720)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4760)
      • elevation_service.exe (PID: 6388)
      • GoogleUpdate.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6300)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1356)
      • elevation_service.exe (PID: 6344)
      • GoogleUpdate.exe (PID: 6376)
      • GoogleCrashHandler.exe (PID: 6224)
      • maintenanceservice.exe (PID: 6536)
      • GoogleCrashHandler64.exe (PID: 6528)
      • GoogleUpdate.exe (PID: 6372)
      • PSEXESVC.exe (PID: 6440)
      • ssh-agent.exe (PID: 6560)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • GoogleUpdate.exe (PID: 7404)
      • updater.exe (PID: 1072)

    • Checks supported languages

      • Uninstall.exe (PID: 6760)
      • FlashPlayerUpdateService.exe (PID: 6792)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6720)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4760)
      • elevation_service.exe (PID: 6388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1356)
      • GoogleUpdate.exe (PID: 6300)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6208)
      • elevation_service.exe (PID: 6344)
      • GoogleUpdate.exe (PID: 6376)
      • maintenanceservice.exe (PID: 6536)
      • GoogleCrashHandler.exe (PID: 6224)
      • PSEXESVC.exe (PID: 6440)
      • GoogleUpdate.exe (PID: 6372)
      • GoogleCrashHandler64.exe (PID: 6528)
      • ssh-agent.exe (PID: 6560)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • UpdaterSetup.exe (PID: 6376)
      • GoogleUpdate.exe (PID: 7404)
      • updater.exe (PID: 1072)
      • updater.exe (PID: 1436)

    • Creates files or folders in the user directory

      • Uninstall.exe (PID: 6760)
      • GoogleUpdate.exe (PID: 6376)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 6644)
      • GoogleUpdate.exe (PID: 6208)
      • GoogleUpdate.exe (PID: 6300)
      • GoogleUpdate.exe (PID: 6376)
      • maintenanceservice.exe (PID: 6536)
      • GoogleUpdate.exe (PID: 6372)
      • SearchIndexer.exe (PID: 7436)
      • GoogleUpdate.exe (PID: 7800)
      • UpdaterSetup.exe (PID: 6376)
      • GoogleUpdate.exe (PID: 7404)
      • updater.exe (PID: 1072)
      • updater.exe (PID: 1436)

    • Checks proxy server information

      • Uninstall.exe (PID: 6760)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6376)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • GoogleUpdate.exe (PID: 7404)

    • Executes as Windows Service

      • elevation_service.exe (PID: 6388)
      • elevation_service.exe (PID: 6344)
      • SearchIndexer.exe (PID: 7436)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 6612)

    • Reads the time zone

      • TieringEngineService.exe (PID: 6368)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 7688)

    • Create files in a temporary directory

      • GoogleUpdate.exe (PID: 7800)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1072)

    • Application launched itself

      • chrome.exe (PID: 3672)

    • Manual execution by a user

      • chrome.exe (PID: 3672)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:06:25 10:38:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 134656
InitializedDataSize: 301056
UninitializedDataSize: -
EntryPoint: 0xc440
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 5.91.0.0
ProductVersionNumber: 5.91.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: WinRAR
CompanyName: Alexander Roshal
FileDescription: Uninstall WinRAR
FileVersion: 5.91.0
ProductVersion: 5.91.0
InternalName: Uninstall WinRAR
LegalCopyright: Copyright © Alexander Roshal 1993-2020
OriginalFileName: Uninstall.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
58
Malicious processes
28
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV uninstall.exe #M0YV flashplayerupdateservice.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs fxssvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV gameinputsvc.exe no specs #M0YV gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV elevation_service.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV googleupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV googleupdate.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe googlecrashhandler.exe no specs googlecrashhandler64.exe no specs #M0YV maintenanceservice.exe no specs #M0YV googleupdate.exe no specs #M0YV msdtc.exe no specs #M0YV perceptionsimulationservice.exe no specs #M0YV perfhost.exe no specs #M0YV psexesvc.exe no specs locator.exe no specs sensordataservice.exe no specs snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs tieringengineservice.exe no specs agentservice.exe no specs vds.exe no specs vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs searchindexer.exe no specs svchost.exe #M0YV microsoftedgeupdate.exe #M0YV microsoftedgeupdate.exe Delivery Optimization User no specs #M0YV googleupdate.exe updatersetup.exe no specs #M0YV googleupdate.exe updater.exe updater.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs uninstall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fffd2e5dc40,0x7fffd2e5dc4c,0x7fffd2e5dc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1048"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3288 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1072"C:\WINDOWS\SystemTemp\Google6376_713790647\bin\updater.exe" --update --system --enable-logging --vmodule=*/chrome/updater/*=2 /sessionid {BA4FF7C4-4740-4256-99BA-4A9599DF7AED}C:\Windows\SystemTemp\Google6376_713790647\bin\updater.exe
UpdaterSetup.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
GoogleUpdater (x86)
Exit code:
0
Version:
129.0.6651.0
Modules
Images
c:\windows\systemtemp\google6376_713790647\bin\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1356"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.185.17
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\1.3.185.17\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1436C:\WINDOWS\SystemTemp\Google6376_713790647\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0xa806cc,0xa806d8,0xa806e4C:\Windows\SystemTemp\Google6376_713790647\bin\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
GoogleUpdater (x86)
Exit code:
0
Version:
129.0.6651.0
Modules
Images
c:\windows\systemtemp\google6376_713790647\bin\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1932 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3672"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4008"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2064 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4064"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
26 335
Read events
24 328
Write events
1 900
Delete events
107

Modification events

(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:writeName:omaha_version
Value:
1100B90003000100
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Booleans
Operation:writeName:is_system_install
Value:
01000000
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:writeName:goopdate_main
Value:
1500000000000000
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:writeName:goopdate_constructor
Value:
1500000000000000
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:writeName:windows_major_version
Value:
0A00000000000000
(PID) Process:(7084) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:InstallTime
Value:
(PID) Process:(7084) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
Operation:writeName:InstallTime
Value:
(PID) Process:(7120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(7120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(7120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}\InprocHandler32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
150
Suspicious files
15
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
6792FlashPlayerUpdateService.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:3649E33E4AC578E91608118FC267D845
SHA256:3E30272EF49BA4E9A4B98E2B558BE07C290A936F0D1AE49062E176D07A067CE2
6760Uninstall.exeC:\Windows\System32\GameInputSvc.exeexecutable
MD5:777110B83FBA31B4F434C5820B842EC3
SHA256:6A0D2906434C144FCA9602D11AFCD3FA4FE1D21E1C70944B121AF86D426EFFD2
6760Uninstall.exeC:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeexecutable
MD5:A887D935923A3D88442A22C54C23AE00
SHA256:E6ED65447E1C754A90587702B6109AD11FECAF8ABE0A2F62F6CB94809DA94ACF
6760Uninstall.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:F1BE5EE86979A5221A7E54D989A2D6B8
SHA256:66ADF8A94742F654DA604BD8DBCA8C9C9F046E13848231D24AAA10B23EBCE4EB
6760Uninstall.exeC:\Windows\System32\FXSSVC.exeexecutable
MD5:71D65E5FADC3D1F0F2A7C26DB053ACF4
SHA256:440E793EA519CA9CEF4D458E1D6BDD79881EF0D6AB96E4D4892C23D104E905B7
6760Uninstall.exeC:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exeexecutable
MD5:6B18B976521FF67E10EDD52D18ABDFF8
SHA256:C626F31D26C333A3553DEA2BCA6DA10811F20AE2484006A70F2F82BCBF46729F
6760Uninstall.exeC:\Program Files (x86)\Google\Update\GoogleUpdate.exeexecutable
MD5:7F518F328AA0CF5C2DDF9315FAB5585C
SHA256:2443D123899AB145B4C99B9D92525A14E5FBD34EA20421AF2ED6578C4FAB3879
4816GameInputSvc.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:6B306039D9EF8DCBF2F488269E6DECA1
SHA256:BCECF6601855462FFA023224B12001CDD317E1DBF738BA3DC28D8BCC944B9E14
6760Uninstall.exeC:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\elevation_service.exeexecutable
MD5:83963D4BD96C02AF9C7D60E8DF1FC956
SHA256:60DD4C5481C98299E8F2B6E0A9F7E1CF3F89858D0E203E4ABE56682187B29B6F
6760Uninstall.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:35CC67AD02B1488679E23337FE80890B
SHA256:8088B80619F7D22DD27F42C500E07BBF9B964BD13EBF7889E767B8C859671CCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
192
TCP/UDP connections
67
DNS requests
47
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/ovrabshehoskbplr
unknown
6760
Uninstall.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/ctauwjvt
unknown
6760
Uninstall.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/koc
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/krbgwvkevxfxjqf
unknown
6760
Uninstall.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/onsmfvp
unknown
6760
Uninstall.exe
POST
172.234.222.138:80
http://przvgke.biz/ckothncuhujyma
unknown
6760
Uninstall.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/iyqqcxbpqjcw
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/bkbhcleslhxvtpv
unknown
6760
Uninstall.exe
POST
172.234.222.138:80
http://przvgke.biz/swiphgxibv
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/hykemqsfcan
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4876
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6760
Uninstall.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
unknown
6760
Uninstall.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
6376
GoogleUpdate.exe
142.250.185.238:443
clients2.google.com
GOOGLE
US
whitelisted
6900
DiagnosticsHub.StandardCollector.Service.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
6760
Uninstall.exe
44.221.84.105:80
npukfztj.biz
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
pywolwnvd.biz
  • 54.244.188.177
unknown
ssbzmoy.biz
  • 18.141.10.107
unknown
clients2.google.com
  • 142.250.185.238
whitelisted
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
unknown
przvgke.biz
  • 172.234.222.138
  • 172.234.222.143
unknown
zlenh.biz
unknown
knjghuig.biz
  • 18.141.10.107
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Uninstall.exe