File name:

INFOSTEALERS.zip

Full analysis: https://app.any.run/tasks/bfde68ab-0eb9-4b72-a69c-1712fc3eb8f7
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: November 03, 2023, 23:52:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
stealer
formbook
xloader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

758F06DB4489B7A6A4FC8085D1918ADB

SHA1:

68DDF9B8E9C723F6ADA42BCBF0919C5213620B84

SHA256:

1DB4C8CC7512CA772CA0DD0F89919EC914DD33B2E8DFF6106C4D48C85DB2FB87

SSDEEP:

98304:GsqoyuiEwr1Sbfdp5Ljd1d2IbvGZhQdf3+HeBUPMP8XuVHK6GWdHy5y2F7lRhiPB:x5Klgk+RiNC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • qfe.exe (PID: 5244)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 5368)
      • RegAsm.exe (PID: 5132)
      • RegSvcs.exe (PID: 5732)

    • Steals credentials

      • RegAsm.exe (PID: 5132)
      • RegAsm.exe (PID: 5608)
      • RegSvcs.exe (PID: 5732)
      • RegSvcs.exe (PID: 5900)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 5132)
      • RegAsm.exe (PID: 5116)
      • RegAsm.exe (PID: 5608)
      • RegSvcs.exe (PID: 5368)
      • RegSvcs.exe (PID: 5732)
      • RegSvcs.exe (PID: 5720)
      • RegSvcs.exe (PID: 5900)

    • FORMBOOK has been detected (YARA)

      • 297022aace9eedb2bff66cc4178d7961265e2b6e592cb65a03e6854a5bcfb02d.exe (PID: 4796)

    • Changes the autorun value in the registry

      • adh.exe (PID: 5684)

  • SUSPICIOUS

    • Application launched itself

      • RegAsm.exe (PID: 5116)
      • qfe.exe (PID: 5224)
      • adh.exe (PID: 5664)
      • RegSvcs.exe (PID: 5720)

    • Drops the AutoIt3 executable file

      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)

    • Reads the Internet Settings

      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • RegSvcs.exe (PID: 5368)
      • RegAsm.exe (PID: 5116)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)
      • RegSvcs.exe (PID: 5720)

    • Process drops legitimate windows executable

      • qfe.exe (PID: 5244)

    • Searches for installed software

      • RegSvcs.exe (PID: 5368)

    • Accesses Microsoft Outlook profiles

      • RegAsm.exe (PID: 5608)
      • RegSvcs.exe (PID: 5368)
      • RegSvcs.exe (PID: 5900)

    • Loads DLL from Mozilla Firefox

      • RegAsm.exe (PID: 5132)
      • RegSvcs.exe (PID: 5732)

    • Starts CMD.EXE for commands execution

      • RegSvcs.exe (PID: 5368)

    • Executing commands from a ".bat" file

      • RegSvcs.exe (PID: 5368)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3384)
      • RegAsm.exe (PID: 5116)
      • 4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7.exe (PID: 4996)
      • RegAsm.exe (PID: 5132)
      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • 297022aace9eedb2bff66cc4178d7961265e2b6e592cb65a03e6854a5bcfb02d.exe (PID: 4796)
      • wmpnscfg.exe (PID: 1892)
      • qfe.exe (PID: 5244)
      • RegSvcs.exe (PID: 5368)
      • 78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097.exe (PID: 5408)
      • RegAsm.exe (PID: 5608)
      • qfe.exe (PID: 5224)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)
      • adh.exe (PID: 5664)
      • adh.exe (PID: 5684)
      • RegSvcs.exe (PID: 5720)
      • RegSvcs.exe (PID: 5732)
      • RegSvcs.exe (PID: 5900)
      • javaw.exe (PID: 5972)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3384)
      • wmpnscfg.exe (PID: 1892)
      • RegAsm.exe (PID: 5132)
      • qfe.exe (PID: 5244)
      • RegAsm.exe (PID: 5116)
      • adh.exe (PID: 5684)
      • RegSvcs.exe (PID: 5732)
      • RegSvcs.exe (PID: 5720)

    • Application launched itself

      • msedge.exe (PID: 3596)
      • firefox.exe (PID: 2884)
      • firefox.exe (PID: 2692)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3196)
      • firefox.exe (PID: 2692)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1892)
      • firefox.exe (PID: 2884)
      • 297022aace9eedb2bff66cc4178d7961265e2b6e592cb65a03e6854a5bcfb02d.exe (PID: 4796)
      • 4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7.exe (PID: 4996)
      • msedge.exe (PID: 3596)
      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • 78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097.exe (PID: 5408)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)
      • javaw.exe (PID: 5972)

    • Reads the computer name

      • 4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7.exe (PID: 4996)
      • wmpnscfg.exe (PID: 3384)
      • RegAsm.exe (PID: 5132)
      • wmpnscfg.exe (PID: 1892)
      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • qfe.exe (PID: 5224)
      • qfe.exe (PID: 5244)
      • RegSvcs.exe (PID: 5368)
      • RegAsm.exe (PID: 5116)
      • RegAsm.exe (PID: 5608)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)
      • adh.exe (PID: 5664)
      • adh.exe (PID: 5684)
      • RegSvcs.exe (PID: 5732)
      • RegSvcs.exe (PID: 5720)
      • RegSvcs.exe (PID: 5900)

    • Creates files or folders in the user directory

      • 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe (PID: 5160)
      • qfe.exe (PID: 5224)

    • Reads mouse settings

      • qfe.exe (PID: 5244)
      • qfe.exe (PID: 5224)
      • adh.exe (PID: 5664)
      • adh.exe (PID: 5684)

    • Create files in a temporary directory

      • qfe.exe (PID: 5244)
      • RegAsm.exe (PID: 5132)
      • RegAsm.exe (PID: 5608)
      • e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe (PID: 5640)
      • adh.exe (PID: 5664)
      • RegSvcs.exe (PID: 5732)
      • RegSvcs.exe (PID: 5368)
      • RegSvcs.exe (PID: 5900)

    • Checks proxy server information

      • RegAsm.exe (PID: 5116)
      • RegSvcs.exe (PID: 5720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(4796) 297022aace9eedb2bff66cc4178d7961265e2b6e592cb65a03e6854a5bcfb02d.exe
C2www.daylleosin.info/ca/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)etrade668.com
witchwardrobe.com
fresh-express.info
court-of-protection-abuse.com
mydomaine.pizza
chiquirritmo.com
goldennestconstructions.com
gldqn.com
songkorea.com
epaqint.com
3201wargyle1s.info
batdongsanhungphu.com
higheredandbeyond.com
tenpro25.date
drzcapital.com
corporativoacarsa.com
happyupward.net
aljyc.link
travellerit.com
dazhongpuhui.com
kokrishop.com
zekporno.com
kkkav61611.com
cgllt.com
ferhat.photography
persiangloriessaga.com
residenz-schrofenblick.com
chuiniupi.net
take2mediation.com
bdoiron.com
shortforlong.com
105manbet.com
ufjzen.info
robots-electronics.com
amillionormorethingstodo.com
bransonmichelesflowers.com
zarchain.com
lillucke.com
simplare.com
topviews.online
fortworthwww.com
revitalifeclinicuae.info
baxter.group
florallis.com
scma1.com
coar.solutions
3pastel-takako.net
desertsteelart.com
qualitytrade.today
toinner.net
linguisticspcfit.online
2017weiyi.com
ugetit.net
kashikiriparty2.com
yunfanat.com
boteinstein.com
ashleyilikea.com
qixoq.loan
bdb.ink
livingstonparkinc.com
ramseyindustries.biz
91yima.com
pengyuze.com
patrick-friedl.com
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:11:03 23:37:04
ZipCRC: 0xaf9c0b28
ZipCompressedSize: 641922
ZipUncompressedSize: 1218048
ZipFileName: 297022aace9eedb2bff66cc4178d7961265e2b6e592cb65a03e6854a5bcfb02d.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
58
Malicious processes
15
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #FORMBOOK 297022aace9eedb2bff66cc4178d7961265e2b6e592cb65a03e6854a5bcfb02d.exe 4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7.exe regasm.exe regasm.exe 63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a.exe qfe.exe no specs qfe.exe no specs regsvcs.exe 78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097.exe regasm.exe e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d.exe adh.exe no specs adh.exe regsvcs.exe regsvcs.exe regsvcs.exe cmd.exe no specs javaw.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
476"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
536"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.5.541159904\1672215312" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 936 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46aa5d83-9ea0-4ca8-ad27-4e60902eb0ff} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 4020 18eebf70 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
908"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.8.145446235\682572301" -childID 7 -isForBrowser -prefsHandle 4668 -prefMapHandle 4672 -prefsLen 31054 -prefMapSize 244195 -jsInitHandle 936 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d3e327b-4464-4d5c-b36a-1b2b4f5c8fd6} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 4656 1aa9e9b0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1344"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1700"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1812"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3184 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1876"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1284,i,4712011144680032580,8946908958442643037,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1876"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.6.1828030015\1934934552" -childID 5 -isForBrowser -prefsHandle 4152 -prefMapHandle 4156 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 936 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d0ed600-34f9-4e8d-b43f-ea65996d4c96} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 4136 194ea110 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
26 471
Read events
26 314
Write events
150
Delete events
7

Modification events

(PID) Process:(3384) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{EB87113E-6828-4EF0-AF7B-DDA324CC6E41}\{6798FEA9-3885-4B36-A6D5-3599CB14B3FC}
Operation:delete keyName:(default)
Value:
(PID) Process:(3384) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{EB87113E-6828-4EF0-AF7B-DDA324CC6E41}
Operation:delete keyName:(default)
Value:
(PID) Process:(3384) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{86897002-B53B-49B9-92F1-910CA3D85C6E}
Operation:delete keyName:(default)
Value:
(PID) Process:(3196) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3196) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
75
Suspicious files
1 545
Text files
168
Unknown types
0

Dropped files

PID
Process
Filename
Type
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF16c3c2.TMP
MD5:
SHA256:
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF16c410.TMP
MD5:
SHA256:
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3196WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3196.7503\4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7.exeexecutable
MD5:04CE3268080CB301AD8202217685CA59
SHA256:4F619C7B4F54DD6ED7833880C8600334C42084A20C73D9B76973D45202A734C7
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF16c44e.TMP
MD5:
SHA256:
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:A9B940DA81B2E13D048EBB32E79FA414
SHA256:9061129705411EA6CFDD34177BF841CC85EB857BA909D3C4AA69BE8A5C59A8B0
3196WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3196.7503\78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097.exeexecutable
MD5:9B2179379BB6E1DB0736FF6F0D1802D7
SHA256:78DDA119DDC3B77095009F357809E3451BB897E51053601B1088AE5C61949097
3596msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:C7352A0E98449CC8AEDC1D6954C4CCD9
SHA256:3A1591F52AD31B5B0B48F97AB5E1361D0AD0FA0F584E8FE8EFD482801DC2B9B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
125
DNS requests
264
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3896
msedge.exe
GET
301
172.217.18.5:80
http://gmail.com/
unknown
html
230 b
unknown
2692
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
2692
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2692
firefox.exe
POST
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
2692
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
2692
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2692
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2692
firefox.exe
POST
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
2692
firefox.exe
POST
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
2692
firefox.exe
POST
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3896
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3596
msedge.exe
239.255.255.250:1900
whitelisted
3896
msedge.exe
204.79.197.203:443
ntp.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3896
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3896
msedge.exe
23.53.42.121:443
assets.msn.com
Akamai International B.V.
DE
unknown
3896
msedge.exe
23.53.40.147:443
img-s-msn-com.akamaized.net
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
whitelisted
ntp.msn.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
assets.msn.com
  • 23.53.42.121
  • 23.53.42.120
whitelisted
img-s-msn-com.akamaized.net
  • 23.53.40.147
  • 23.53.40.104
whitelisted
sb.scorecardresearch.com
  • 18.245.60.72
  • 18.245.60.107
  • 18.245.60.53
  • 18.245.60.76
shared
th.bing.com
  • 23.36.162.84
  • 23.36.162.68
whitelisted
www.bing.com
  • 23.36.162.80
  • 23.36.162.68
  • 23.36.162.76
whitelisted
c.msn.com
  • 68.219.88.97
whitelisted
api.msn.com
  • 204.79.197.203
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
INFOSTEALERS.zip