File name:

update.exe

Full analysis: https://app.any.run/tasks/1604f209-48da-4d7e-bc44-3fe9782ea93e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 02, 2024, 20:24:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C2CCA36DDF698A085F97AD8AB2C1B4B9

SHA1:

979624C75E99422E067BBCC1D6245EBB9DCC3530

SHA256:

FCC5CDD8BA7661040F53041EB1167FFF8517ADBFC9E9F2A5AB9E5228BE6551ED

SSDEEP:

98304:pXB4Ou7axPYUa0usWkTunZDANI/RHCf/GUN+jhv/4Y3vYEfa8FdD1G2nno3qjzzb:bXC6P0mfhWsmFdII

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • update.exe (PID: 6424)
      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • Actions looks like stealing of personal data

      • update.exe (PID: 1664)
      • update.exe (PID: 6888)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • update.exe (PID: 6424)
      • update.exe (PID: 4692)

    • Reads the date of Windows installation

      • update.exe (PID: 6424)
      • update.exe (PID: 4692)

    • Executable content was dropped or overwritten

      • update.exe (PID: 6424)
      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • The process drops C-runtime libraries

      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • Process drops legitimate windows executable

      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • Process drops python dynamic module

      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • Application launched itself

      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • Loads Python modules

      • update.exe (PID: 6888)
      • update.exe (PID: 1664)

  • INFO

    • Creates files or folders in the user directory

      • update.exe (PID: 6424)

    • Checks supported languages

      • update.exe (PID: 6580)
      • update.exe (PID: 6424)
      • update.exe (PID: 6888)
      • update.exe (PID: 4692)
      • update.exe (PID: 6224)
      • update.exe (PID: 1664)

    • Reads the computer name

      • update.exe (PID: 6580)
      • update.exe (PID: 6424)
      • update.exe (PID: 6888)
      • update.exe (PID: 4692)
      • update.exe (PID: 6224)
      • update.exe (PID: 1664)

    • Process checks computer location settings

      • update.exe (PID: 6424)
      • update.exe (PID: 4692)

    • Reads the machine GUID from the registry

      • update.exe (PID: 6424)
      • update.exe (PID: 4692)

    • Create files in a temporary directory

      • update.exe (PID: 6580)
      • update.exe (PID: 6224)

    • Checks proxy server information

      • update.exe (PID: 6888)
      • update.exe (PID: 1664)

    • Manual execution by a user

      • update.exe (PID: 4692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:02 20:21:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 8407552
InitializedDataSize: 118272
UninitializedDataSize: -
EntryPoint: 0x80682e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 128.0.6597.0
ProductVersionNumber: 128.0.6597.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Google LLC
FileDescription: Google Chrome Installer
FileVersion: 128.0.6597.0
InternalName: update.exe
LegalCopyright: Copyright 2024 Google LLC. All rights reserved.
OriginalFileName: update.exe
ProductName: Google Chrome Installer
ProductVersion: 128.0.6597.0
AssemblyVersion: 128.0.6597.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start update.exe update.exe no specs update.exe update.exe update.exe no specs update.exe no specs update.exe update.exe

Process information

PID
CMD
Path
Indicators
Parent process
1664"C:\Users\admin\AppData\Roaming\update.exe" C:\Users\admin\AppData\Roaming\update.exe
update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4692"C:\Users\admin\Desktop\update.exe" C:\Users\admin\Desktop\update.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome Installer
Exit code:
0
Version:
128.0.6597.0
Modules
Images
c:\users\admin\desktop\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6224"C:\Users\admin\AppData\Roaming\update.exe" C:\Users\admin\AppData\Roaming\update.exe
update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6296"C:\Users\admin\AppData\Roaming\update.exe" C:\Users\admin\AppData\Roaming\update.exeupdate.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
6424"C:\Users\admin\Desktop\update.exe" C:\Users\admin\Desktop\update.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome Installer
Exit code:
0
Version:
128.0.6597.0
Modules
Images
c:\users\admin\desktop\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6532"C:\Users\admin\AppData\Roaming\update.exe" C:\Users\admin\AppData\Roaming\update.exeupdate.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
6580"C:\Users\admin\AppData\Roaming\update.exe" C:\Users\admin\AppData\Roaming\update.exe
update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6888"C:\Users\admin\AppData\Roaming\update.exe" C:\Users\admin\AppData\Roaming\update.exe
update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
8 013
Read events
7 997
Write events
16
Delete events
0

Modification events

(PID) Process:(6424) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6424) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6424) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6424) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4692) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4692) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4692) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4692) update.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
31
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6424update.exeC:\Users\admin\AppData\Roaming\update.exeexecutable
MD5:52D0E0C9FA8132F61DB14362DE90EE32
SHA256:0F8B00FB84C2BB69E569BC502B38821D0596AA1720E5E28076A4872664C48D74
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\_decimal.pydexecutable
MD5:492C0C36D8ED1B6CA2117869A09214DA
SHA256:B8221D1C9E2C892DD6227A6042D1E49200CD5CB82ADBD998E4A77F4EE0E9ABF1
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\_bz2.pydexecutable
MD5:5BEBC32957922FE20E927D5C4637F100
SHA256:3ED0E5058D370FB14AA5469D81F96C5685559C054917C7280DD4125F21D25F62
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\libssl-3.dllexecutable
MD5:19A2ABA25456181D5FB572D88AC0E73E
SHA256:2E9FBCD8F7FDC13A5179533239811456554F2B3AA2FB10E1B17BE0DF81C79006
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\unicodedata.pydexecutable
MD5:CC8142BEDAFDFAA50B26C6D07755C7A6
SHA256:BC2CF23B7B7491EDCF03103B78DBAF42AFD84A60EA71E764AF9A1DDD0FE84268
6224update.exeC:\Users\admin\AppData\Local\Temp\_MEI62242\_bz2.pydexecutable
MD5:5BEBC32957922FE20E927D5C4637F100
SHA256:3ED0E5058D370FB14AA5469D81F96C5685559C054917C7280DD4125F21D25F62
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\charset_normalizer\md__mypyc.cp312-win_amd64.pydexecutable
MD5:BF9A9DA1CF3C98346002648C3EAE6DCF
SHA256:4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\select.pydexecutable
MD5:D0CC9FC9A0650BA00BD206720223493B
SHA256:411D6F538BDBAF60F1A1798FA8AA7ED3A4E8FCC99C9F9F10D21270D2F3742019
6580update.exeC:\Users\admin\AppData\Local\Temp\_MEI65802\python312.dllexecutable
MD5:D521654D889666A0BC753320F071EF60
SHA256:21700F0BAD5769A1B61EA408DC0A140FFD0A356A774C6EB0CC70E574B929D2E2
6224update.exeC:\Users\admin\AppData\Local\Temp\_MEI62242\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
120
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
204
104.126.37.179:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
104.126.37.155:443
https://th.bing.com/th?id=ODSWG.9ac297be-edd3-42db-b1fb-9f516a8c0b22&w=124&h=154&c=1&rs=1&p=0
unknown
image
4.02 Kb
GET
200
104.126.37.139:443
https://r.bing.com/rb/16/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe36_AcIBMbIBMcUB&or=w
unknown
s
21.4 Kb
GET
200
104.126.37.154:443
https://www.bing.com/th?id=ODSWG.eac17cda-7fd9-45b5-9d27-674c8dccb299&pid=dsb
unknown
image
46.0 Kb
GET
200
104.126.37.155:443
https://th.bing.com/th?id=OVF.fSIsIUiAuhX%2bJG2iNlKcEQ&w=180&h=102&c=1&rs=1&p=0
unknown
image
4.80 Kb
GET
200
104.126.37.155:443
https://th.bing.com/th?id=OVP.VSVOKVPzw6OmNSu3qSTg7AHgFo&w=180&h=102&c=1&rs=1&p=0
unknown
image
4.32 Kb
GET
200
104.126.37.155:443
https://th.bing.com/th?id=OVP.ZzNZ9SoBNHrD7kNt6Fa03AHgFo&w=180&h=102&c=1&rs=1&p=0
unknown
image
5.40 Kb
GET
200
104.126.37.155:443
https://th.bing.com/th?id=OVP.j14iZDfyCnwxObfXVPkomQEsDh&w=180&h=102&c=1&rs=1&p=0
unknown
image
4.78 Kb
GET
200
104.126.37.154:443
https://th.bing.com/th?id=ODSWG.f1fae55d-6e2a-421d-ac5e-0dd33e4571df&w=124&h=154&c=1&rs=1&p=0
unknown
image
6.24 Kb
GET
200
104.126.37.155:443
https://th.bing.com/th?id=ODSWG.a63c4ede-672e-4b0b-b035-e0f9aa973fce&c=1&rs=1&p=0
unknown
image
1.05 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
692
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1984
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
692
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6888
update.exe
188.114.96.3:443
maldroid.dev
CLOUDFLARENET
NL
unknown
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1664
update.exe
188.114.96.3:443
maldroid.dev
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
maldroid.dev
  • 188.114.96.3
  • 188.114.97.3
malicious
www.bing.com
  • 104.126.37.185
  • 104.126.37.155
  • 104.126.37.162
  • 104.126.37.170
  • 104.126.37.145
  • 104.126.37.171
  • 104.126.37.178
  • 104.126.37.160
  • 104.126.37.154
whitelisted
th.bing.com
  • 104.126.37.185
  • 104.126.37.155
  • 104.126.37.162
  • 104.126.37.170
  • 104.126.37.145
  • 104.126.37.171
  • 104.126.37.178
  • 104.126.37.160
  • 104.126.37.154
whitelisted
browser.pipe.aria.microsoft.com
  • 20.44.10.123
whitelisted
r.bing.com
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.145
  • 104.126.37.154
  • 104.126.37.155
  • 104.126.37.160
  • 104.126.37.171
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
wac-ring.msedge.net
  • 52.108.8.254
  • 52.108.9.254
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
update.exe