File name:

1e0482474917fc13b85023c02d79e846ac40216c989d3244bb70c22bd8860e94.exe

Full analysis: https://app.any.run/tasks/d001596b-c94b-4d70-b1bf-9323a85ce515
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 24, 2025, 19:18:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
raspberryrobin
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 14 sections
MD5:

D3CFD6A91301BC646456B9463064E409

SHA1:

8378609A96A61B53F32C3BDB134675536A0F607A

SHA256:

1E0482474917FC13B85023C02D79E846AC40216C989D3244BB70C22BD8860E94

SSDEEP:

24576:rCVzPMismvmIAxYC8e6/vCM4UmerOmQq/LFwW1CqOIVyt/B/sUX11xZumAHU+9TR:rCVzPMismvmIAxYC8e6/vCM4UmerOmQI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RASPBERRYROBIN has been detected (YARA)

      • rundll32.exe (PID: 6492)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 1296)
      • StartMenuExperienceHost.exe (PID: 6228)
      • StartMenuExperienceHost.exe (PID: 7048)
      • StartMenuExperienceHost.exe (PID: 6068)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 1296)
      • StartMenuExperienceHost.exe (PID: 3876)
      • StartMenuExperienceHost.exe (PID: 6364)

    • Process requests binary or script from the Internet

      • SearchApp.exe (PID: 6004)

  • INFO

    • Process checks computer location settings

      • SearchApp.exe (PID: 3620)
      • StartMenuExperienceHost.exe (PID: 1296)
      • SearchApp.exe (PID: 4892)
      • StartMenuExperienceHost.exe (PID: 3876)
      • SearchApp.exe (PID: 4792)
      • SearchApp.exe (PID: 7096)
      • StartMenuExperienceHost.exe (PID: 7048)
      • SearchApp.exe (PID: 6420)
      • StartMenuExperienceHost.exe (PID: 6364)
      • SearchApp.exe (PID: 5796)
      • SearchApp.exe (PID: 6004)
      • SearchApp.exe (PID: 2876)

    • Reads the computer name

      • TextInputHost.exe (PID: 6536)
      • StartMenuExperienceHost.exe (PID: 1296)
      • TextInputHost.exe (PID: 2280)
      • SearchApp.exe (PID: 4892)
      • StartMenuExperienceHost.exe (PID: 3876)
      • TextInputHost.exe (PID: 5040)
      • SearchApp.exe (PID: 7096)
      • StartMenuExperienceHost.exe (PID: 6228)
      • StartMenuExperienceHost.exe (PID: 7048)
      • StartMenuExperienceHost.exe (PID: 5912)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 3620)
      • SearchApp.exe (PID: 4892)
      • SearchApp.exe (PID: 4792)
      • SearchApp.exe (PID: 7096)
      • SearchApp.exe (PID: 6420)
      • SearchApp.exe (PID: 6336)

    • Checks supported languages

      • SearchApp.exe (PID: 3620)
      • TextInputHost.exe (PID: 6536)
      • StartMenuExperienceHost.exe (PID: 1296)
      • TextInputHost.exe (PID: 2280)
      • SearchApp.exe (PID: 4892)
      • StartMenuExperienceHost.exe (PID: 3876)
      • TextInputHost.exe (PID: 5040)
      • SearchApp.exe (PID: 4792)
      • TextInputHost.exe (PID: 6832)
      • StartMenuExperienceHost.exe (PID: 6228)
      • SearchApp.exe (PID: 7096)
      • StartMenuExperienceHost.exe (PID: 7048)
      • SearchApp.exe (PID: 6420)
      • TextInputHost.exe (PID: 6220)
      • TextInputHost.exe (PID: 5032)
      • StartMenuExperienceHost.exe (PID: 6364)
      • SearchApp.exe (PID: 5796)
      • StartMenuExperienceHost.exe (PID: 5912)
      • TextInputHost.exe (PID: 6032)
      • StartMenuExperienceHost.exe (PID: 6288)
      • SearchApp.exe (PID: 6004)
      • StartMenuExperienceHost.exe (PID: 6068)
      • SearchApp.exe (PID: 2876)
      • SearchApp.exe (PID: 6336)

    • Reads the software policy settings

      • SearchApp.exe (PID: 3620)
      • SearchApp.exe (PID: 4892)
      • SearchApp.exe (PID: 4792)
      • SearchApp.exe (PID: 7096)
      • SearchApp.exe (PID: 6336)

    • Checks proxy server information

      • SearchApp.exe (PID: 4892)
      • SearchApp.exe (PID: 4792)
      • SearchApp.exe (PID: 7096)
      • SearchApp.exe (PID: 6420)
      • SearchApp.exe (PID: 5796)
      • SearchApp.exe (PID: 6004)
      • SearchApp.exe (PID: 6336)

    • Reads Environment values

      • SearchApp.exe (PID: 4892)
      • SearchApp.exe (PID: 4792)
      • SearchApp.exe (PID: 7096)
      • SearchApp.exe (PID: 6420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:03 08:42:30+00:00
ImageFileCharacteristics: Executable, 32-bit, DLL
PEType: PE32
LinkerVersion: 9
CodeSize: 435712
InitializedDataSize: 835584
UninitializedDataSize: 5120
EntryPoint: 0x5956
OSVersion: 5
ImageVersion: 1
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
243
Monitored processes
94
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RASPBERRYROBIN rundll32.exe no specs gamebar.exe no specs startmenuexperiencehost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe mobsync.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe gamebar.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
904"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1296"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1328"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\ntmarta.dll
1792"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wincorlib.dll
2280"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2280"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2680"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2736"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wincorlib.dll
2876"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wincorlib.dll
3128"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
292 928
Read events
291 566
Write events
1 333
Delete events
29

Modification events

(PID) Process:(3620) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
55
(PID) Process:(3620) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
22
(PID) Process:(3620) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
1790
(PID) Process:(3620) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
1850
(PID) Process:(3620) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
1897
(PID) Process:(1296) StartMenuExperienceHost.exeKey:\REGISTRY\A\{ecd07d7f-cff2-eb90-7f4a-483d80b1dc4c}\LocalState\DataCorruptionRecovery
Operation:writeName:InitializationAttemptCount
Value:
0100000041CDBEDEF086DB01
(PID) Process:(1296) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:writeName:Completed
Value:
1
(PID) Process:(1296) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData
Operation:writeName:Completed
Value:
1
(PID) Process:(1296) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles
Operation:writeName:Completed
Value:
1
(PID) Process:(1296) StartMenuExperienceHost.exeKey:\REGISTRY\A\{ecd07d7f-cff2-eb90-7f4a-483d80b1dc4c}\LocalState\DataCorruptionRecovery
Operation:writeName:InitializationAttemptCount
Value:
00000000592CFFDEF086DB01
Executable files
0
Suspicious files
26
Text files
94
Unknown types
0

Dropped files

PID
Process
Filename
Type
3620SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:0160A0874640552D503AB94E3A04B9D0
SHA256:1C104BF3CCAB3F5DA651AD0C4C75482C1BE4BBA4E54F81CA8CE3473910EE8336
4892SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\Q84V0JUH\6hU_LneafI_NFLeDvM367ebFaKQ[1].jsbinary
MD5:C6C21B7634D82C53FB86080014D86E66
SHA256:D39E9BA92B07F4D50B11A49965E9B162452D7B9C9F26D9DCB07825727E31057E
3620SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbresbinary
MD5:6EBDC926E6AAFDC5885423E9D73ABD64
SHA256:1FCD828758A966D587A8633159AEC91AF073C3D966502BBC30E73AE4A4A429F2
4792SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\Init[1].htmhtml
MD5:CAA00635405E6E126BD765C9992CEEC8
SHA256:68F8074BA09E573CCFD29D303563D81F4A8A85C2CFC27F7045C55C4E83748515
7096SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\dA5C-RUNdfz70qQQUNOSPqSPraE[2].jsbinary
MD5:7F503C331FDA0B17D382157723BF2770
SHA256:C9A57CFEE6238DE9C26C9E5F3C3E03686499F84B36F3B988D566987423BEA183
3620SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:21DF333A75E1619F9284F8BA2AC65815
SHA256:F763F66878E7272766DFA599F4815EE838FBE6EF7542B7FB7CB5AF2E624AE59A
7096SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\FgBbpIj0thGWZOh_xFnM9i4O7ek[1].csstext
MD5:908111EB0FFB1360D5DD61279C21703E
SHA256:1ED87CF425DED994B05A842271AB4D28A76F399E571688CF2E7B186F70DC3059
7096SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\vOJNaIfAXvJzmnBm845ss-M9YR8[1].csstext
MD5:87BBB1A289EDC24C9F06B88229765467
SHA256:85B291C46F9D1EEEC71DB839F649D748F48B203EA836F3ACE3B9B761947D960C
6420SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\2u1i5bXJCKdk4jOb70d5CjAHxg4[1].csstext
MD5:D6F7358414188BB4B9713ABD942B775B
SHA256:C457B847A6C6EDC68E5F95E573F8B71CCBEE388007F0DA5984BF8B143DB5E619
7096SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\AptopUBu7_oVDubJxwvaIprW-lI[1].csstext
MD5:29DE55D0A7A581B230CC2D70686CD03A
SHA256:D9F161C1FE8751953E4F3819993C16C2A61A0121B527E09862C34C89E7B6C677
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
163
TCP/UDP connections
81
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
104.126.37.137:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
GET
104.126.37.144:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
unknown
GET
104.126.37.137:443
https://www.bing.com/rb/6j/cir3,ortl,cc,nc/2u1i5bXJCKdk4jOb70d5CjAHxg4.css?bu=M8cKwQrNCsEKsQvBCrcLwQrBCsEKwgvBCskLwQrPC8EK1QvBCtsLwQrfCsEK5QrBCtkKwQrBCqgLwQr0CsEK-grBCu4KwQqAC4oLjQvBCsEKpQuTC8EKmQucC8EKhwzBCuELwQrADA&or=w
unknown
GET
104.126.37.131:443
https://www.bing.com/rb/6j/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AcEK&or=w
unknown
GET
200
104.126.37.137:443
https://www.bing.com/rb/19/cir3,ortl,cc,nc/FgBbpIj0thGWZOh_xFnM9i4O7ek.css?bu=C6QK9AOeBYAL2gnECcwHbm5ubg&or=w
unknown
text
19.8 Kb
whitelisted
GET
200
104.126.37.129:443
https://www.bing.com/rb/3C/ortl,cc,nc/AptopUBu7_oVDubJxwvaIprW-lI.css?bu=A4gCjAKPAg&or=w
unknown
text
15.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5392
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
192.168.100.255:137
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3620
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
  • 104.126.37.154
  • 104.126.37.185
  • 104.126.37.170
  • 104.126.37.136
  • 104.126.37.160
  • 104.126.37.129
  • 104.126.37.179
  • 104.126.37.186
  • 104.126.37.178
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.176
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.163
  • 104.126.37.155
  • 2.19.96.120
  • 2.19.96.128
  • 23.15.178.200
  • 23.15.178.226
  • 23.15.178.147
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
whitelisted
self.events.data.microsoft.com
  • 52.168.117.174
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1e0482474917fc13b85023c02d79e846ac40216c989d3244bb70c22bd8860e94.exe