File name:

PWA Identity Proxy

Full analysis: https://app.any.run/tasks/f699513d-1a69-4366-8b0b-76b27cd6c7e5
Verdict: Malicious activity
Analysis date: March 20, 2025, 00:07:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D1A6E2BEB0967C09109A4E4AEF0E8AB1

SHA1:

CE4F1B67E57C5F7C3DA25627A4F6ECB333E36A0F

SHA256:

0761F7C1774B5EFBACEBBDCF4F229CCEFF2FC48C8130A5958535A55774442FA5

SSDEEP:

3072:83z3iCQ2trqYIJp+APF48GX8UdVR3mw/rAwvZC+Itcf1OkoPpOq4JM0qlsJy3+U9:8T+VHuVQurHZ4tcjakJgKKcE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • down.exe (PID: 7392)
      • down.exe (PID: 7948)

    • Changes the autorun value in the registry

      • down.exe (PID: 7948)
      • down.exe (PID: 7392)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • PWA Identity Proxy.exe (PID: 7000)

    • Process drops legitimate windows executable

      • PWA Identity Proxy.exe (PID: 7000)

    • Executable content was dropped or overwritten

      • PWA Identity Proxy.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • PWA Identity Proxy.exe (PID: 7000)
      • down.exe (PID: 7392)
      • down.exe (PID: 7948)

    • Connects to unusual port

      • down.exe (PID: 7392)
      • down.exe (PID: 7948)

  • INFO

    • Reads the computer name

      • PWA Identity Proxy.exe (PID: 7000)
      • down.exe (PID: 7948)
      • down.exe (PID: 7392)

    • Checks supported languages

      • PWA Identity Proxy.exe (PID: 7000)
      • down.exe (PID: 7392)
      • down.exe (PID: 7948)

    • Reads the machine GUID from the registry

      • PWA Identity Proxy.exe (PID: 7000)
      • down.exe (PID: 7392)
      • down.exe (PID: 7948)

    • Disables trace logs

      • PWA Identity Proxy.exe (PID: 7000)

    • Checks proxy server information

      • PWA Identity Proxy.exe (PID: 7000)
      • down.exe (PID: 7948)
      • down.exe (PID: 7392)

    • Reads the software policy settings

      • PWA Identity Proxy.exe (PID: 7000)
      • down.exe (PID: 7392)
      • slui.exe (PID: 4428)
      • down.exe (PID: 7948)

    • Process checks computer location settings

      • PWA Identity Proxy.exe (PID: 7000)

    • The sample compiled with chinese language support

      • PWA Identity Proxy.exe (PID: 7000)

    • Manual execution by a user

      • down.exe (PID: 7948)

    • Autorun file from Registry key

      • down.exe (PID: 7948)
      • down.exe (PID: 7392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:14 16:55:01+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 12800
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x31ad4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 133.0.3065.69
ProductVersionNumber: 133.0.3065.69
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 133.0.3065.69
ProductVersion: 133.0.3065.69
FileDescription: PwaHelper executable for Identity Proxy
CompanyName: Microsoft Corporation
OriginalFileName: PWA Identity Proxy
ProductName: Microsoft Edge
LegalCopyright: Copyright Microsoft Corporation. All rights reserved.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pwa identity proxy.exe sppextcomobj.exe no specs slui.exe down.exe down.exe slui.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4428"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6944C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7000"C:\Users\admin\AppData\Local\Temp\PWA Identity Proxy.exe" C:\Users\admin\AppData\Local\Temp\PWA Identity Proxy.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PwaHelper executable for Identity Proxy
Exit code:
0
Version:
133.0.3065.69
Modules
Images
c:\users\admin\appdata\local\temp\pwa identity proxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7392"C:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exe" C:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exe
PWA Identity Proxy.exe
User:
admin
Company:
ShenZhen Thunder Networking Technologies Ltd.
Integrity Level:
MEDIUM
Description:
Xunlei Browser Process Shell
Version:
1.2.8.121
Modules
Images
c:\users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7948"C:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exe" C:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exe
explorer.exe
User:
admin
Company:
ShenZhen Thunder Networking Technologies Ltd.
Integrity Level:
MEDIUM
Description:
Xunlei Browser Process Shell
Version:
1.2.8.121
Modules
Images
c:\users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7996C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
2 853
Read events
2 837
Write events
16
Delete events
0

Modification events

(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7000) PWA Identity Proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PWA Identity Proxy_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7000PWA Identity Proxy.exeC:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\xlbrowser.dllexecutable
MD5:88D44D2FFF8524190449F07D408D0FD0
SHA256:006D604BAB898FBEFDF07815BF9165F68C14F8CE365E64A91CD43A6BCDFF43A5
7000PWA Identity Proxy.exeC:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\image.jpgimage
MD5:D0C1E586BC522B335A96B206D5E85F33
SHA256:01E001FF68F779744CBE6537FAD8E0C20876B75C3A62A702D7317432AE4BE233
7000PWA Identity Proxy.exeC:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\down.exeexecutable
MD5:93E322F54A584C5082425EADC4AB225C
SHA256:685E784070DAA010BB3D051E2BCBCE2736F1A198B18C6D738C70171F1674B385
7000PWA Identity Proxy.exeC:\Users\admin\97ecd0f3-7881-4270-b389-9566b14adf5e@27\log.datbinary
MD5:F1F263D4895449E15CA27EF844DE4EE9
SHA256:6AAF2C32B09F595A53E0D75D3FAD7EFDB67801A9BDE93F6255D9C8992A2DAC96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
37
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6004
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7628
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7628
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7000
PWA Identity Proxy.exe
3.5.148.137:443
csfaga.s3.ap-southeast-1.amazonaws.com
AMAZON-02
SG
shared
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
6004
backgroundTaskHost.exe
20.74.47.205:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6004
backgroundTaskHost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
google.com
  • 142.250.186.78
whitelisted
csfaga.s3.ap-southeast-1.amazonaws.com
  • 3.5.148.137
  • 3.5.146.144
  • 3.5.150.120
  • 52.219.184.50
  • 52.219.164.194
  • 3.5.148.227
  • 3.5.150.35
shared
client.wns.windows.com
  • 20.198.162.78
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.130
  • 20.190.159.129
  • 40.126.31.67
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PWA Identity Proxy