Malware analysis https://qrcode.tec-it.com/API/QRCode?data=https%3A%2F%2Fwww.bing.com%2Fck%2Fa%3F%21%26%26p%3D4ed30224ac809bc0JmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MQ%26ptn%3D3%26ver%3D2%26hsh%3D3%26fclid%3D364f65e8-e56c-619d-1257-713ee42a6012%26u%3Da1aHR0cDovL3d3dy40NDQzMTcuY29tLw%23aHR0cHM6Ly9pUjkuaGVhc3R5cGhlLmNvbS8zOGlJVHMv%2F Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

URL:	https://qrcode.tec-it.com/API/QRCode?data=https%3A%2F%2Fwww.bing.com%2Fck%2Fa%3F%21%26%26p%3D4ed30224ac809bc0JmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MQ%26ptn%3D3%26ver%3D2%26hsh%3D3%26fclid%3D364f65e8-e56c-619d-1257-713ee42a6012%26u%3Da1aHR0cDovL3d3dy40NDQzMTcuY29tLw%23aHR0cHM6Ly9pUjkuaGVhc3R5cGhlLmNvbS8zOGlJVHMv%2F
Full analysis:	https://app.any.run/tasks/3097fb23-ebe3-4e11-96ab-763132640884
Verdict:	Malicious activity
Analysis date:	September 10, 2024, 15:53:36
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	qr-redirect qrcode
Indicators:
MD5:	23FD06EB2A9DB2B8E68AAD3403F5B2CF
SHA1:	D53702957C9808195080791EE140F60C1E58F294
SHA256:	08DA3376E263E8BE9CC88CFC5B20F0A091DD5FEF166E33DF9A97B084E7C4DBAE
SSDEEP:	6:270S0fJnztFZqVzhRQJxyAHOggfj4BbnIoQ1UJItkSoA5gp4DCvz:27yfJn9uzh6xlSfjUMSJIGs1Gvz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
Client LanguagePack Package
DotNetRollup
DotNetRollup 481
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
Hello Face Package
InternetExplorer Optional Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MediaPlayer Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
OpenSSH Client Package
OpenSSH Client Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
ProfessionalEdition
ProfessionalEdition
QuickAssist Package
QuickAssist Package
RollupFix
RollupFix
ServicingStack
ServicingStack
ServicingStack 3989
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
TabletPCMath Package
TabletPCMath Package
UserExperience Desktop Package
UserExperience Desktop Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads security settings of Internet Explorer
  - ScreenSketch.exe (PID: 4364)
  - ScreenClippingHost.exe (PID: 1184)
INFO
- Creates files or folders in the user directory
  - ScreenSketch.exe (PID: 4364)
- Reads the computer name
  - ScreenClippingHost.exe (PID: 1184)
  - ScreenSketch.exe (PID: 4364)
  - identity_helper.exe (PID: 7644)
- Checks supported languages
  - ScreenSketch.exe (PID: 4364)
  - ScreenClippingHost.exe (PID: 1184)
  - identity_helper.exe (PID: 7644)
- Sends debugging messages
  - ScreenSketch.exe (PID: 4364)
  - msedge.exe (PID: 2328)
- Application launched itself
  - chrome.exe (PID: 2208)
  - msedge.exe (PID: 7104)
- Reads security settings of Internet Explorer
  - PickerHost.exe (PID: 3864)
- Reads Environment values
  - identity_helper.exe (PID: 7644)
- Manual execution by a user
  - msedge.exe (PID: 7104)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

222

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2208

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "https://qrcode.tec-it.com/API/QRCode?data=https%3A%2F%2Fwww.bing.com%2Fck%2Fa%3F%21%26%26p%3D4ed30224ac809bc0JmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MQ%26ptn%3D3%26ver%3D2%26hsh%3D3%26fclid%3D364f65e8-e56c-619d-1257-713ee42a6012%26u%3Da1aHR0cDovL3d3dy40NDQzMTcuY29tLw%23aHR0cHM6Ly9pUjkuaGVhc3R5cGhlLmNvbS8zOGlJVHMv%2F"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

7132

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fffd23fdc40,0x7fffd23fdc4c,0x7fffd23fdc58

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5548

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgABAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1876 --field-trial-handle=1880,i,10204943185786317893,5160484211132940470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5164

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2176 --field-trial-handle=1880,i,10204943185786317893,5160484211132940470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4252

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2208 --field-trial-handle=1880,i,10204943185786317893,5160484211132940470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6696

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1880,i,10204943185786317893,5160484211132940470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2396

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1880,i,10204943185786317893,5160484211132940470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6912

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4536 --field-trial-handle=1880,i,10204943185786317893,5160484211132940470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4364

"C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe" -ServerName:App.AppX4k4k4wd0fmhfvg9v37catz0s8k6m08gh.mca

C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\program files\windowsapps\microsoft.screensketch_10.1907.2471.0_x64__8wekyb3d8bbwe\screensketch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll

1184

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppX6726kd2wrry6c6n8nc57a1zn08dmzmbt.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClippingHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

123.29302.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\screenclippinghost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

Add for printing

Total events

28 075

Read events

27 788

Write events

255

Delete events

Modification events


(PID) Process:	(2208) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2208) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2208) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(2208) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(2208) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(4364) ScreenSketch.exe	Key:	\REGISTRY\A\{a457059c-cb26-8af5-11fb-4340e2240093}\LocalState
Operation:	write	Name:	Setting_PreferNewWindow
Value: 00583239C79903DB01
(PID) Process:	(4364) ScreenSketch.exe	Key:	\REGISTRY\A\{a457059c-cb26-8af5-11fb-4340e2240093}\LocalState
Operation:	write	Name:	Setting_ShowUnsavedChangesConfirmations
Value: 00108C47C79903DB01
(PID) Process:	(4364) ScreenSketch.exe	Key:	\REGISTRY\A\{a457059c-cb26-8af5-11fb-4340e2240093}\LocalState
Operation:	write	Name:	HasUserSeenSnipHintFlyout
Value: 0189E554C89903DB01
(PID) Process:	(4364) ScreenSketch.exe	Key:	\REGISTRY\A\{a457059c-cb26-8af5-11fb-4340e2240093}\LocalState
Operation:	write	Name:	Setting_LastFileCleanUp
Value: 0000000000000000E3D59EC89903DB01
(PID) Process:	(4364) ScreenSketch.exe	Key:	\REGISTRY\A\{a457059c-cb26-8af5-11fb-4340e2240093}\LocalState
Operation:	write	Name:	Setting_LastFileCleanUp
Value: 53EA9FC89903DB01E3D59EC89903DB01

Add for printing

Executable files

Suspicious files

831

Text files

153

Unknown types

232

Dropped files

PID	Process	Filename		Type
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF12baec.TMP		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF12badc.TMP		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF12babd.TMP		text
		MD5:8F45965291AB2DA10EEB049FB6E917C6	SHA256:8A0DE526945B27CDBBD87357C85FDDD37B572370F894CB0A5AC533FD465D2166
2208	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Variations		binary
		MD5:961E3604F228B0D10541EBF921500C86	SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

201

DNS requests

204

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3908	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnfjpeggfpleeakpidbkibbmn_2023.11.29.1201_all_acqy67ncydhwie54b6ghdtndubgq.crx3	unknown	—	—	unknown
6224	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
—	—	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	unknown
3908	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnfjpeggfpleeakpidbkibbmn_2023.11.29.1201_all_acqy67ncydhwie54b6ghdtndubgq.crx3	unknown	—	—	unknown
3908	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnfjpeggfpleeakpidbkibbmn_2023.11.29.1201_all_acqy67ncydhwie54b6ghdtndubgq.crx3	unknown	—	—	unknown
3908	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnfjpeggfpleeakpidbkibbmn_2023.11.29.1201_all_acqy67ncydhwie54b6ghdtndubgq.crx3	unknown	—	—	unknown
3908	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	unknown
3708	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
3908	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	unknown
3908	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnfjpeggfpleeakpidbkibbmn_2023.11.29.1201_all_acqy67ncydhwie54b6ghdtndubgq.crx3	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6224	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1332	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2208	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
5164	chrome.exe	108.177.119.84:443	accounts.google.com	GOOGLE	US	whitelisted
5164	chrome.exe	85.233.97.212:443	qrcode.tec-it.com	KT-NET Communications GmbH	AT	unknown
6224	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5164	chrome.exe	216.58.206.68:443	www.google.com	GOOGLE	US	whitelisted
2208	chrome.exe	224.0.0.251:5353	—	—	—	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
google.com	142.250.185.238	whitelisted
qrcode.tec-it.com	85.233.97.212	unknown
accounts.google.com	108.177.119.84	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
www.google.com	216.58.206.68	whitelisted
client.wns.windows.com	40.113.110.67 40.113.103.199	whitelisted
login.live.com	40.126.31.67 20.190.159.4 20.190.159.2 20.190.159.64 20.190.159.73 20.190.159.23 20.190.159.0 20.190.159.75 20.190.160.22 40.126.32.74 40.126.32.133 40.126.32.76 40.126.32.72 40.126.32.140 40.126.32.138 20.190.160.17 20.190.159.71 40.126.31.73 40.126.31.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted

Threats

PID	Process	Class	Message
2180	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
2180	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2180	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
2180	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD

Add for printing

Process	Message
msedge.exe	[0910/155711.440:WARNING:device_ticket.cc(151)] Timed out waiting for device ticket. Canceling async operation.
msedge.exe	[0910/155711.440:ERROR:device_ticket.cc(187)] The identity is null.
msedge.exe	[0910/155712.808:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ff6278d0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0910/155712.808:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe	[0910/155712.808:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff85f0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0910/155712.808:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\SYSTEM32\ntdll.dll
msedge.exe	[0910/155712.810:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff6f10000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0910/155712.810:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\System32\KERNEL32.DLL
msedge.exe	[0910/155712.810:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff5da0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe	[0910/155712.810:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\System32\KERNELBASE.dll

General Info

23FD06EB2A9DB2B8E68AAD3403F5B2CF

D53702957C9808195080791EE140F60C1E58F294

08DA3376E263E8BE9CC88CFC5B20F0A091DD5FEF166E33DF9A97B084E7C4DBAE

6:270S0fJnztFZqVzhRQJxyAHOggfj4BbnIoQ1UJItkSoA5gp4DCvz:27yfJn9uzh6xlSfjUMSJIGs1Gvz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

INFO

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Sends debugging messages

Application launched itself

Reads security settings of Internet Explorer

Reads Environment values

Manual execution by a user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings