File name:

Uninstall.exe

Full analysis: https://app.any.run/tasks/e87ac8e1-65d6-4f19-b2a3-58222b97042b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 01:27:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
expiro
sinkhole
m0yv
stealer
loader
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

C6518571CCEFF45660016E694CF1FBC9

SHA1:

8426C78ECE90B4734001076CBA36631F3ACF8B69

SHA256:

FBC07F59B8891077D9F83D9D483819C11843F20ED69E443C1073C713BA5C2AE8

SSDEEP:

49152:e6JuY1F4SpdjARBZfUb79ggtwHQxvWds56a2HtUdsvYPeHwM8L+Qc82zUABfkUV6:e4tPdjF9ggtXxvgs56aA0svAe4cEABfS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • Uninstall.exe (PID: 6760)
      • FlashPlayerUpdateService.exe (PID: 6792)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • AppVClient.exe (PID: 6864)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • elevation_service.exe (PID: 6388)
      • GameInputSvc.exe (PID: 6880)
      • GameInputSvc.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6300)
      • elevation_service.exe (PID: 6344)
      • GoogleUpdate.exe (PID: 6376)
      • maintenanceservice.exe (PID: 6536)
      • GoogleUpdate.exe (PID: 6372)
      • PerceptionSimulationService.exe (PID: 6792)
      • perfhost.exe (PID: 6892)
      • PSEXESVC.exe (PID: 6440)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • ssh-agent.exe (PID: 6560)
      • Spectrum.exe (PID: 6224)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • GoogleUpdate.exe (PID: 7404)

    • M0YV has been detected (YARA)

      • Uninstall.exe (PID: 6760)
      • PerceptionSimulationService.exe (PID: 6792)
      • alg.exe (PID: 6828)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • GameInputSvc.exe (PID: 6880)
      • GameInputSvc.exe (PID: 4816)
      • elevation_service.exe (PID: 6388)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6300)
      • elevation_service.exe (PID: 6344)
      • msdtc.exe (PID: 6612)

    • Connects to the CnC server

      • Uninstall.exe (PID: 6760)

    • EXPIRO has been detected (SURICATA)

      • Uninstall.exe (PID: 6760)

    • Expiro has been found (SURICATA)

      • Uninstall.exe (PID: 6760)

    • Request for a sinkholed resource

      • Uninstall.exe (PID: 6760)

    • Actions looks like stealing of personal data

      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • Uninstall.exe (PID: 6760)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Uninstall.exe (PID: 6760)
      • GoogleUpdate.exe (PID: 7800)
      • updater.exe (PID: 1072)

    • Executes as Windows Service

      • FlashPlayerUpdateService.exe (PID: 6792)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • AppVClient.exe (PID: 6864)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • alg.exe (PID: 6828)
      • FXSSVC.exe (PID: 6644)
      • GameInputSvc.exe (PID: 6880)
      • GoogleUpdate.exe (PID: 6208)
      • maintenanceservice.exe (PID: 6536)
      • msdtc.exe (PID: 6612)
      • PerceptionSimulationService.exe (PID: 6792)
      • perfhost.exe (PID: 6892)
      • PSEXESVC.exe (PID: 6440)
      • Locator.exe (PID: 7136)
      • SensorDataService.exe (PID: 6460)
      • snmptrap.exe (PID: 6332)
      • Spectrum.exe (PID: 6224)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • wbengine.exe (PID: 7312)
      • TieringEngineService.exe (PID: 6368)
      • WmiApSrv.exe (PID: 7356)
      • VSSVC.exe (PID: 7256)
      • vds.exe (PID: 7232)
      • AgentService.exe (PID: 7204)
      • ssh-agent.exe (PID: 6560)
      • GoogleUpdate.exe (PID: 7800)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • GameInputSvc.exe (PID: 6880)
      • GoogleUpdate.exe (PID: 6208)
      • GoogleUpdate.exe (PID: 6300)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • GoogleUpdate.exe (PID: 7800)
      • updater.exe (PID: 1072)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4760)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6720)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1356)

    • Process drops legitimate windows executable

      • Uninstall.exe (PID: 6760)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)

    • Executable content was dropped or overwritten

      • Uninstall.exe (PID: 6760)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 6900)
      • GoogleUpdate.exe (PID: 7800)
      • updater.exe (PID: 1072)

    • Contacting a server suspected of hosting an CnC

      • Uninstall.exe (PID: 6760)

    • Potential Corporate Privacy Violation

      • GoogleUpdate.exe (PID: 7800)

    • Process requests binary or script from the Internet

      • GoogleUpdate.exe (PID: 7800)

  • INFO

    • Creates files or folders in the user directory

      • Uninstall.exe (PID: 6760)
      • GoogleUpdate.exe (PID: 6376)

    • Checks supported languages

      • Uninstall.exe (PID: 6760)
      • FlashPlayerUpdateService.exe (PID: 6792)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6720)
      • elevation_service.exe (PID: 6388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4760)
      • GoogleUpdate.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • GoogleUpdate.exe (PID: 6300)
      • GoogleUpdate.exe (PID: 6376)
      • elevation_service.exe (PID: 6344)
      • GoogleCrashHandler.exe (PID: 6224)
      • GoogleUpdate.exe (PID: 6372)
      • maintenanceservice.exe (PID: 6536)
      • GoogleCrashHandler64.exe (PID: 6528)
      • PSEXESVC.exe (PID: 6440)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • ssh-agent.exe (PID: 6560)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • UpdaterSetup.exe (PID: 6376)
      • GoogleUpdate.exe (PID: 7404)
      • updater.exe (PID: 1072)
      • updater.exe (PID: 1436)

    • Reads the computer name

      • Uninstall.exe (PID: 6760)
      • FlashPlayerUpdateService.exe (PID: 6792)
      • MicrosoftEdgeUpdate.exe (PID: 6944)
      • MicrosoftEdgeUpdate.exe (PID: 7084)
      • MicrosoftEdgeUpdate.exe (PID: 7120)
      • elevation_service.exe (PID: 6388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6720)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4760)
      • GoogleUpdate.exe (PID: 6208)
      • GoogleUpdate.exe (PID: 6300)
      • MicrosoftEdgeUpdate.exe (PID: 6256)
      • elevation_service.exe (PID: 6344)
      • GoogleUpdate.exe (PID: 6376)
      • GoogleCrashHandler.exe (PID: 6224)
      • maintenanceservice.exe (PID: 6536)
      • GoogleCrashHandler64.exe (PID: 6528)
      • GoogleUpdate.exe (PID: 6372)
      • PSEXESVC.exe (PID: 6440)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • ssh-agent.exe (PID: 6560)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • GoogleUpdate.exe (PID: 7800)
      • GoogleUpdate.exe (PID: 7404)
      • updater.exe (PID: 1072)

    • Executes as Windows Service

      • elevation_service.exe (PID: 6388)
      • elevation_service.exe (PID: 6344)
      • SearchIndexer.exe (PID: 7436)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 6644)
      • GoogleUpdate.exe (PID: 6208)
      • GoogleUpdate.exe (PID: 6300)
      • maintenanceservice.exe (PID: 6536)
      • GoogleUpdate.exe (PID: 6376)
      • GoogleUpdate.exe (PID: 6372)
      • SearchIndexer.exe (PID: 7436)
      • GoogleUpdate.exe (PID: 7800)
      • UpdaterSetup.exe (PID: 6376)
      • GoogleUpdate.exe (PID: 7404)
      • updater.exe (PID: 1072)
      • updater.exe (PID: 1436)

    • Checks proxy server information

      • Uninstall.exe (PID: 6760)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6376)
      • MicrosoftEdgeUpdate.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 7628)
      • GoogleUpdate.exe (PID: 7800)
      • GoogleUpdate.exe (PID: 7404)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 6612)

    • Reads the time zone

      • TieringEngineService.exe (PID: 6368)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 7688)

    • Create files in a temporary directory

      • GoogleUpdate.exe (PID: 7800)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1072)

    • Manual execution by a user

      • chrome.exe (PID: 3672)

    • Application launched itself

      • chrome.exe (PID: 3672)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:06:25 10:38:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 134656
InitializedDataSize: 301056
UninitializedDataSize: -
EntryPoint: 0xc440
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 5.91.0.0
ProductVersionNumber: 5.91.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: WinRAR
CompanyName: Alexander Roshal
FileDescription: Uninstall WinRAR
FileVersion: 5.91.0
ProductVersion: 5.91.0
InternalName: Uninstall WinRAR
LegalCopyright: Copyright © Alexander Roshal 1993-2020
OriginalFileName: Uninstall.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
58
Malicious processes
28
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV uninstall.exe #M0YV flashplayerupdateservice.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs fxssvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV gameinputsvc.exe no specs #M0YV gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV elevation_service.exe no specs microsoftedgeupdatecomregistershell64.exe no specs #M0YV googleupdate.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV googleupdate.exe no specs #M0YV elevation_service.exe no specs #M0YV googleupdate.exe googlecrashhandler.exe no specs googlecrashhandler64.exe no specs #M0YV maintenanceservice.exe no specs #M0YV googleupdate.exe no specs #M0YV msdtc.exe no specs #M0YV perceptionsimulationservice.exe no specs #M0YV perfhost.exe no specs #M0YV psexesvc.exe no specs locator.exe no specs sensordataservice.exe no specs snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs tieringengineservice.exe no specs agentservice.exe no specs vds.exe no specs vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs searchindexer.exe no specs svchost.exe #M0YV microsoftedgeupdate.exe #M0YV microsoftedgeupdate.exe Delivery Optimization User no specs #M0YV googleupdate.exe updatersetup.exe no specs #M0YV googleupdate.exe updater.exe updater.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs uninstall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fffd2e5dc40,0x7fffd2e5dc4c,0x7fffd2e5dc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1048"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3288 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1072"C:\WINDOWS\SystemTemp\Google6376_713790647\bin\updater.exe" --update --system --enable-logging --vmodule=*/chrome/updater/*=2 /sessionid {BA4FF7C4-4740-4256-99BA-4A9599DF7AED}C:\Windows\SystemTemp\Google6376_713790647\bin\updater.exe
UpdaterSetup.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
GoogleUpdater (x86)
Exit code:
0
Version:
129.0.6651.0
Modules
Images
c:\windows\systemtemp\google6376_713790647\bin\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1356"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.185.17
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\1.3.185.17\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1436C:\WINDOWS\SystemTemp\Google6376_713790647\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0xa806cc,0xa806d8,0xa806e4C:\Windows\SystemTemp\Google6376_713790647\bin\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
GoogleUpdater (x86)
Exit code:
0
Version:
129.0.6651.0
Modules
Images
c:\windows\systemtemp\google6376_713790647\bin\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1932 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3672"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4008"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2064 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4064"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1920,i,18192837463213692926,748435425703930739,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
26 335
Read events
24 328
Write events
1 900
Delete events
107

Modification events

(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:writeName:omaha_version
Value:
1100B90003000100
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Booleans
Operation:writeName:is_system_install
Value:
01000000
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:writeName:goopdate_main
Value:
1500000000000000
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts
Operation:writeName:goopdate_constructor
Value:
1500000000000000
(PID) Process:(6944) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Integers
Operation:writeName:windows_major_version
Value:
0A00000000000000
(PID) Process:(7084) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:InstallTime
Value:
(PID) Process:(7084) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
Operation:writeName:InstallTime
Value:
(PID) Process:(7120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(7120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(7120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}\InprocHandler32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
150
Suspicious files
15
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
6864AppVClient.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:537826D06BAA292D1250E64092A29582
SHA256:8FC21F7AA71D5522D743E7A9A8996084384A30F4B2B928CA2867B23D05A42628
6760Uninstall.exeC:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeexecutable
MD5:A887D935923A3D88442A22C54C23AE00
SHA256:E6ED65447E1C754A90587702B6109AD11FECAF8ABE0A2F62F6CB94809DA94ACF
6760Uninstall.exeC:\Windows\System32\GameInputSvc.exeexecutable
MD5:777110B83FBA31B4F434C5820B842EC3
SHA256:6A0D2906434C144FCA9602D11AFCD3FA4FE1D21E1C70944B121AF86D426EFFD2
6792FlashPlayerUpdateService.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:3649E33E4AC578E91608118FC267D845
SHA256:3E30272EF49BA4E9A4B98E2B558BE07C290A936F0D1AE49062E176D07A067CE2
6760Uninstall.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:16D49EFC1650E6C59EB5DFB1B4BE563B
SHA256:274BD14DCB2B286DE11755B3B80AAD81C4B637FED90DDDF544830736A464D474
6760Uninstall.exeC:\Windows\System32\alg.exeexecutable
MD5:46FD20F2D2306852C468CA5EFAFEB3E2
SHA256:68B3B9D086D97EADC317626E74309196EFD3516E7153E76ABD9D522EBBC3EB13
6760Uninstall.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:F1BE5EE86979A5221A7E54D989A2D6B8
SHA256:66ADF8A94742F654DA604BD8DBCA8C9C9F046E13848231D24AAA10B23EBCE4EB
6760Uninstall.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:C682C4D4CB5628E0DDE34F384198D249
SHA256:4495800BFD573650BBF8D282D627DAD02FDA4624A1D5503FF948FFB7B8B2B6E3
6760Uninstall.exeC:\Windows\System32\FXSSVC.exeexecutable
MD5:71D65E5FADC3D1F0F2A7C26DB053ACF4
SHA256:440E793EA519CA9CEF4D458E1D6BDD79881EF0D6AB96E4D4892C23D104E905B7
6760Uninstall.exeC:\Windows\System32\AppVClient.exeexecutable
MD5:24C14055F5F352E9120F0CF904F390A0
SHA256:2DBE326D79620D75324CEA702CAA88B00365B1830366E281B1A944FDDAB91029
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
192
TCP/UDP connections
67
DNS requests
47
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6760
Uninstall.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/koc
unknown
unknown
7824
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8b0b3233-daaf-48b9-aa04-b34ba9e42980?P1=1724894881&P2=404&P3=2&P4=BfU0N2%2fdG8XgHyDFKJl0sIx%2bOEequxHy3eLQFhG2WypOTMKk1OjuKh3zGYpqyhTt17y1EE5dJqjBEMzbOd0D6g%3d%3d
unknown
whitelisted
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/ovrabshehoskbplr
unknown
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/krbgwvkevxfxjqf
unknown
unknown
6760
Uninstall.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/ctauwjvt
unknown
unknown
6760
Uninstall.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/iyqqcxbpqjcw
unknown
unknown
6760
Uninstall.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/onsmfvp
unknown
unknown
6760
Uninstall.exe
POST
172.234.222.138:80
http://przvgke.biz/ckothncuhujyma
unknown
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/bkbhcleslhxvtpv
unknown
unknown
6760
Uninstall.exe
POST
172.234.222.138:80
http://przvgke.biz/swiphgxibv
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4876
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6760
Uninstall.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
unknown
6900
DiagnosticsHub.StandardCollector.Service.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
unknown
6760
Uninstall.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
6376
GoogleUpdate.exe
142.250.185.238:443
clients2.google.com
GOOGLE
US
whitelisted
6900
DiagnosticsHub.StandardCollector.Service.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
6760
Uninstall.exe
44.221.84.105:80
npukfztj.biz
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
pywolwnvd.biz
  • 54.244.188.177
unknown
ssbzmoy.biz
  • 18.141.10.107
unknown
clients2.google.com
  • 142.250.185.238
whitelisted
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
unknown
przvgke.biz
  • 172.234.222.138
  • 172.234.222.143
unknown
zlenh.biz
unknown
knjghuig.biz
  • 18.141.10.107
unknown

Threats

PID
Process
Class
Message
6760
Uninstall.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6760
Uninstall.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6760
Uninstall.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6760
Uninstall.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6760
Uninstall.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6760
Uninstall.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2256
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2256
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
7800
GoogleUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7800
GoogleUpdate.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Uninstall.exe