URL:

https://go.linkify.ru/1qUq

Full analysis: https://app.any.run/tasks/2ea1d6d3-1715-4875-b606-98849a5e1515
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 07, 2025, 07:31:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
downloadassistant
inno
installer
delphi
loader
xor-url
generic
neoreklami
Indicators:
MD5:

12242B31799D8B27A4FA28B18D399620

SHA1:

9B1841E0AFE14AB3FE24FDA1736A305FDF29A46B

SHA256:

494CFAE70F7FAA78FC8CFEB05BBD4ECE7E4BB8BC309AB7812E39B4AEA8AF0416

SSDEEP:

3:N8r9K/6XKU:2u8KU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DOWNLOADASSISTANT mutex has been found

      • setup_ylNiMteDjD.tmp (PID: 7276)

    • ADWARE has been detected (SURICATA)

      • diskclonetoolbox.exe (PID: 6724)
      • rundll32.exe (PID: 5348)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 1056)
      • powershell.exe (PID: 8072)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 1680)
      • powershell.exe (PID: 2124)
      • powershell.exe (PID: 4628)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 1056)
      • powershell.exe (PID: 8072)
      • cmd.exe (PID: 872)
      • cmd.exe (PID: 7456)
      • cmd.exe (PID: 8156)

    • Uses Task Scheduler to run other applications

      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • bvtoiuu.exe (PID: 6656)
      • NIzXDZh.exe (PID: 6060)

    • XORed URL has been found (YARA)

      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • bvtoiuu.exe (PID: 6656)

    • Uses Task Scheduler to autorun other applications

      • NIzXDZh.exe (PID: 6060)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • setup_ylNiMteDjD.tmp (PID: 7276)
      • 5zrRy9Wm9o3rASEO.tmp (PID: 5736)

    • Executable content was dropped or overwritten

      • setup_ylNiMteDjD.exe (PID: 924)
      • setup_ylNiMteDjD.tmp (PID: 7276)
      • diskclonetoolbox.exe (PID: 6724)
      • 5zrRy9Wm9o3rASEO.exe (PID: 6048)
      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • 5zrRy9Wm9o3rASEO.tmp (PID: 5736)
      • backupstartmenu.exe (PID: 7860)
      • bvtoiuu.exe (PID: 6656)
      • NIzXDZh.exe (PID: 6060)

    • Reads the Windows owner or organization settings

      • setup_ylNiMteDjD.tmp (PID: 7276)

    • Connects to the server without a host name

      • diskclonetoolbox.exe (PID: 6724)

    • Access to an unwanted program domain was detected

      • diskclonetoolbox.exe (PID: 6724)
      • rundll32.exe (PID: 5348)

    • Potential Corporate Privacy Violation

      • diskclonetoolbox.exe (PID: 6724)

    • Starts CMD.EXE for commands execution

      • diskclonetoolbox.exe (PID: 6724)
      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • forfiles.exe (PID: 2644)
      • forfiles.exe (PID: 2416)
      • forfiles.exe (PID: 2408)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 4220)
      • NIzXDZh.exe (PID: 6060)
      • forfiles.exe (PID: 7620)
      • forfiles.exe (PID: 6480)
      • forfiles.exe (PID: 3992)

    • Process requests binary or script from the Internet

      • diskclonetoolbox.exe (PID: 6724)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 2644)
      • forfiles.exe (PID: 2416)
      • forfiles.exe (PID: 2408)
      • forfiles.exe (PID: 7620)
      • forfiles.exe (PID: 6480)
      • forfiles.exe (PID: 3992)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 6800)
      • cmd.exe (PID: 6908)
      • bvtoiuu.exe (PID: 6656)
      • cmd.exe (PID: 7456)
      • cmd.exe (PID: 872)
      • cmd.exe (PID: 8156)

    • Found strings related to reading or modifying Windows Defender settings

      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • forfiles.exe (PID: 2644)
      • forfiles.exe (PID: 2416)
      • forfiles.exe (PID: 2408)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 4220)
      • NIzXDZh.exe (PID: 6060)
      • forfiles.exe (PID: 7620)
      • forfiles.exe (PID: 6480)
      • forfiles.exe (PID: 3992)

    • Process drops legitimate windows executable

      • setup_ylNiMteDjD.tmp (PID: 7276)
      • 5zrRy9Wm9o3rASEO.tmp (PID: 5736)

    • Executes application which crashes

      • diskclonetoolbox.exe (PID: 6724)

    • There is functionality for taking screenshot (YARA)

      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • bvtoiuu.exe (PID: 6656)

    • The process executes via Task Scheduler

      • bvtoiuu.exe (PID: 6656)
      • powershell.exe (PID: 1616)
      • NIzXDZh.exe (PID: 6060)
      • rundll32.exe (PID: 868)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5352)
      • powershell.exe (PID: 7968)
      • cmd.exe (PID: 1132)
      • powershell.exe (PID: 4220)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 8032)
      • schtasks.exe (PID: 8044)
      • schtasks.exe (PID: 1176)
      • schtasks.exe (PID: 4732)
      • schtasks.exe (PID: 300)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 8024)
      • identity_helper.exe (PID: 7712)

    • Checks supported languages

      • identity_helper.exe (PID: 8024)
      • identity_helper.exe (PID: 7712)
      • setup_ylNiMteDjD.exe (PID: 924)
      • setup_ylNiMteDjD.tmp (PID: 7276)

    • Application launched itself

      • msedge.exe (PID: 780)
      • msedge.exe (PID: 3032)

    • Reads the computer name

      • identity_helper.exe (PID: 8024)
      • identity_helper.exe (PID: 7712)
      • setup_ylNiMteDjD.tmp (PID: 7276)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 780)

    • Manual execution by a user

      • WinRAR.exe (PID: 6416)
      • setup_ylNiMteDjD.exe (PID: 924)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6416)
      • msedge.exe (PID: 6560)

    • Create files in a temporary directory

      • setup_ylNiMteDjD.exe (PID: 924)
      • setup_ylNiMteDjD.tmp (PID: 7276)

    • The sample compiled with english language support

      • setup_ylNiMteDjD.tmp (PID: 7276)
      • 5zrRy9Wm9o3rASEO.tmp (PID: 5736)
      • backupstartmenu.exe (PID: 7860)
      • msedge.exe (PID: 6560)

    • Detects InnoSetup installer (YARA)

      • setup_ylNiMteDjD.tmp (PID: 7276)
      • setup_ylNiMteDjD.exe (PID: 924)
      • 5zrRy9Wm9o3rASEO.exe (PID: 6048)
      • 5zrRy9Wm9o3rASEO.tmp (PID: 5736)

    • Compiled with Borland Delphi (YARA)

      • diskclonetoolbox.exe (PID: 6724)
      • setup_ylNiMteDjD.tmp (PID: 7276)
      • setup_ylNiMteDjD.exe (PID: 924)
      • slui.exe (PID: 5328)
      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • 5zrRy9Wm9o3rASEO.exe (PID: 6048)
      • backupstartmenu.exe (PID: 7860)
      • 5zrRy9Wm9o3rASEO.tmp (PID: 5736)

    • Launching a file from Task Scheduler

      • 6DyRBYvdVDFAmNJBul.exe (PID: 6156)
      • bvtoiuu.exe (PID: 6656)
      • NIzXDZh.exe (PID: 6060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
447
Monitored processes
262
Malicious processes
8
Suspicious processes
10

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe setup_ylnimtedjd.exe #DOWNLOADASSISTANT setup_ylnimtedjd.tmp #ADWARE diskclonetoolbox.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs slui.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #XOR-URL 6dyrbyvdvdfamnjbul.exe werfault.exe no specs cmd.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs werfault.exe no specs powershell.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs 5zrry9wm9o3raseo.exe 5zrry9wm9o3raseo.tmp werfault.exe no specs backupstartmenu.exe schtasks.exe no specs conhost.exe no specs werfault.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs werfault.exe no specs wmic.exe no specs werfault.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #XOR-URL bvtoiuu.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs msedge.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs msedge.exe schtasks.exe no specs conhost.exe no specs msedge.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs nizxdzh.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs rundll32.exe no specs #ADWARE rundll32.exe werfault.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs werfault.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7ffc88525fd8,0x7ffc88525fe4,0x7ffc88525ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
9
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300"C:\WINDOWS\system32\gpupdate.exe" /force C:\Windows\System32\gpupdate.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Group Policy Update Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\gpupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
300schtasks /DELETE /F /TN "gjCzeeikbMByMyylE"C:\Windows\SysWOW64\schtasks.exeNIzXDZh.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
456"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6184 --field-trial-handle=2244,i,9507410376216441488,305486558463022883,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
456"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UVQEeGjoWcooC" /t REG_DWORD /d 0 /reg:32C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
540"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\toPnFwQDfLBKuPETrAR" /t REG_DWORD /d 0 /reg:32C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
616C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6724 -s 1344C:\Windows\SysWOW64\WerFault.exediskclonetoolbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
616"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147914824 /t REG_SZ /d 6 /reg:32C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
656C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6724 -s 1220C:\Windows\SysWOW64\WerFault.exediskclonetoolbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5116 --field-trial-handle=2332,i,16906158182825783314,1230844266239780401,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
123 406
Read events
122 989
Write events
301
Delete events
116

Modification events

(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(780) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C9D2939D8C952F00
(PID) Process:(780) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
9A09A49D8C952F00
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\983886
Operation:writeName:WindowTabManagerFileMappingId
Value:
{1AFB1248-598F-43DE-AAA8-C9AE4223BBB8}
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\983886
Operation:writeName:WindowTabManagerFileMappingId
Value:
{9BA0B310-65D7-4EDA-B747-B74EF799DAB5}
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\983886
Operation:writeName:WindowTabManagerFileMappingId
Value:
{837E9925-3F36-4A47-B8D9-DED947548175}
(PID) Process:(780) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\983886
Operation:writeName:WindowTabManagerFileMappingId
Value:
{EDA3B44D-54C1-4A73-8122-98F5EEA7B6E7}
Executable files
93
Suspicious files
622
Text files
329
Unknown types
4

Dropped files

PID
Process
Filename
Type
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF11f50b.TMP
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF11f50b.TMP
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11f51b.TMP
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF11f51b.TMP
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF11f52b.TMP
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
780msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF11f52b.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
161
DNS requests
180
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5952
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1749572865&P2=404&P3=2&P4=TQf6Yvlio8qJy0jM0hO%2b%2bruHfgJH9wt32w8geTSO9B9gPPDzzw9yfz8JKdkdrm0MSLhvgVXEJlRd1cUrw4Zifg%3d%3d
unknown
whitelisted
5952
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1749572865&P2=404&P3=2&P4=TQf6Yvlio8qJy0jM0hO%2b%2bruHfgJH9wt32w8geTSO9B9gPPDzzw9yfz8JKdkdrm0MSLhvgVXEJlRd1cUrw4Zifg%3d%3d
unknown
whitelisted
5952
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1749572865&P2=404&P3=2&P4=TQf6Yvlio8qJy0jM0hO%2b%2bruHfgJH9wt32w8geTSO9B9gPPDzzw9yfz8JKdkdrm0MSLhvgVXEJlRd1cUrw4Zifg%3d%3d
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8068
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8068
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6724
diskclonetoolbox.exe
POST
104.21.2.206:80
http://somenoxezowa.ru/new/net_api
unknown
unknown
6724
diskclonetoolbox.exe
POST
104.21.2.206:80
http://somenoxezowa.ru/new/net_api
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7224
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
780
msedge.exe
239.255.255.250:1900
whitelisted
5548
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5548
msedge.exe
188.114.96.3:443
go.linkify.ru
CLOUDFLARENET
NL
unknown
5548
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5548
msedge.exe
142.250.185.170:443
fonts.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
google.com
  • 142.250.184.238
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
go.linkify.ru
  • 188.114.96.3
  • 188.114.97.3
unknown
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
www.bing.com
  • 2.16.204.148
  • 2.16.204.147
  • 2.16.204.136
  • 2.16.204.146
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.144
  • 2.16.204.138
  • 2.16.204.137
whitelisted

Threats

PID
Process
Class
Message
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://go.linkify.ru/1qUq