File name:

4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe

Full analysis: https://app.any.run/tasks/7ab78767-c1f2-443d-9ca2-3a05df2636d7
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 10, 2025, 17:13:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
remcos
rat
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

3793AD6206518D454116455D21A69BC9

SHA1:

2E2FFE7F4DB3AC4F86EB3A3570A6A80A8DE7A592

SHA256:

4D52393838AD941E2CF63FF7BB4FE2FFDBA1BCD051506F097649C97952641CEB

SSDEEP:

49152:UU7hz8Pem1NVy/uqJ1sKPxwLtNzSU84+Es9GzI+fLrB/oaLGudyaBwps1JGBUHFr:QNVY+s9EyApdFwpQJGBUXjdh/ORgZHc0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 3956)

    • REMCOS mutex has been found

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 6492)
      • graias.exe (PID: 1632)
      • graias.exe (PID: 2276)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)

    • Changes Windows Defender settings

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)

    • Adds path to the Windows Defender exclusion list

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)

    • Changes the autorun value in the registry

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)
      • graias.exe (PID: 1632)

    • REMCOS has been detected

      • graias.exe (PID: 1632)

    • REMCOS has been detected (YARA)

      • graias.exe (PID: 1632)
      • graias.exe (PID: 2276)

  • SUSPICIOUS

    • Application launched itself

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 2972)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)
      • graias.exe (PID: 6172)

    • Starts POWERSHELL.EXE for commands execution

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)

    • Reads security settings of Internet Explorer

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)
      • graias.exe (PID: 4104)

    • Script adds exclusion path to Windows Defender

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)

    • Executable content was dropped or overwritten

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)

    • Connects to unusual port

      • graias.exe (PID: 1632)

    • Starts itself from another location

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)

    • There is functionality for taking screenshot (YARA)

      • graias.exe (PID: 1632)
      • graias.exe (PID: 2276)

  • INFO

    • Reads the computer name

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 2972)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 6492)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)
      • graias.exe (PID: 4104)
      • graias.exe (PID: 6172)
      • graias.exe (PID: 1632)
      • identity_helper.exe (PID: 5876)

    • Checks supported languages

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 2972)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 6492)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)
      • graias.exe (PID: 4104)
      • graias.exe (PID: 6172)
      • graias.exe (PID: 1632)
      • identity_helper.exe (PID: 5876)
      • graias.exe (PID: 2276)

    • Reads the machine GUID from the registry

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 2972)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 6492)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)
      • graias.exe (PID: 6172)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 3956)
      • svchost.exe (PID: 1232)

    • Process checks computer location settings

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 1812)
      • graias.exe (PID: 4104)
      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)

    • Launching a file from a Registry key

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)
      • graias.exe (PID: 1632)

    • Manual execution by a user

      • graias.exe (PID: 6172)
      • msedge.exe (PID: 1932)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4012)
      • powershell.exe (PID: 3048)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4012)
      • powershell.exe (PID: 3048)

    • Creates files or folders in the user directory

      • 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe (PID: 5416)

    • Creates files in the program directory

      • graias.exe (PID: 1632)

    • Application launched itself

      • msedge.exe (PID: 7052)
      • msedge.exe (PID: 1932)

    • Reads Environment values

      • identity_helper.exe (PID: 5876)

    • Checks proxy server information

      • slui.exe (PID: 2228)

    • Reads the software policy settings

      • slui.exe (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(1632) graias.exe
C2 (1)185.234.72.215:4444
BotnetGraias
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell0
Setup_path%APPDATA%
Copy_filegraias.exe
Startup_valueTrue
Hide_fileTrue
Mutex_nameRmc-O844B9
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogTrue
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirGraias
Keylog_dirgraias
(PID) Process(2276) graias.exe
C2 (1)185.234.72.215:4444
BotnetGraias
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell0
Setup_path%APPDATA%
Copy_filegraias.exe
Startup_valueTrue
Hide_fileTrue
Mutex_nameRmc-O844B9
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogTrue
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirGraias
Keylog_dirgraias
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (70.7)
.scr | Windows screen saver (12.6)
.dll | Win32 Dynamic Link Library (generic) (6.3)
.exe | Win32 Executable (generic) (4.3)
.exe | Win16/32 Executable Delphi generic (2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:23 17:48:01+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1002496
InitializedDataSize: 14336
UninitializedDataSize: -
EntryPoint: 0xf67ea
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: pwsgl3
FileVersion: 1.0.0.0
InternalName: qZIk.exe
LegalCopyright: Copyright © 2016
LegalTrademarks: -
OriginalFileName: qZIk.exe
ProductName: pwsgl3
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
49
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe no specs 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe no specs 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe no specs CMSTPLUA no specs 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe no specs powershell.exe no specs conhost.exe no specs 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe no specs graias.exe no specs graias.exe no specs powershell.exe no specs conhost.exe no specs graias.exe no specs graias.exe svchost.exe no specs graias.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2264,i,9987965206096591858,15949856930787999347,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1208"C:\Users\admin\AppData\Roaming\Graias\graias.exe"C:\Users\admin\AppData\Roaming\Graias\graias.exegraias.exe
User:
admin
Integrity Level:
HIGH
Description:
pwsgl3
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\graias\graias.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1232svchost.exeC:\Windows\SysWOW64\svchost.exegraias.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
1632"C:\Users\admin\AppData\Roaming\Graias\graias.exe"C:\Users\admin\AppData\Roaming\Graias\graias.exe
graias.exe
User:
admin
Integrity Level:
HIGH
Description:
pwsgl3
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\graias\graias.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Remcos
(PID) Process(1632) graias.exe
C2 (1)185.234.72.215:4444
BotnetGraias
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell0
Setup_path%APPDATA%
Copy_filegraias.exe
Startup_valueTrue
Hide_fileTrue
Mutex_nameRmc-O844B9
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogTrue
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirGraias
Keylog_dirgraias
1812"C:\Users\admin\Desktop\4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe" C:\Users\admin\Desktop\4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Description:
pwsgl3
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
1932"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --disable-quic --flag-switches-end --do-not-de-elevate --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6848,i,3036816705230958640,3655694341843580369,262144 --variations-seed-version --mojo-platform-channel-handle=6860 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2228C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2276"C:\Users\admin\AppData\Roaming\Graias\graias.exe"C:\Users\admin\AppData\Roaming\Graias\graias.exegraias.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pwsgl3
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\graias\graias.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Remcos
(PID) Process(2276) graias.exe
C2 (1)185.234.72.215:4444
BotnetGraias
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell0
Setup_path%APPDATA%
Copy_filegraias.exe
Startup_valueTrue
Hide_fileTrue
Mutex_nameRmc-O844B9
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogTrue
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirGraias
Keylog_dirgraias
2388"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3648,i,3036816705230958640,3655694341843580369,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 121
Read events
22 076
Write events
44
Delete events
1

Modification events

(PID) Process:(5416) 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rmc-O844B9
Value:
"C:\Users\admin\AppData\Roaming\Graias\graias.exe"
(PID) Process:(5416) 4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1632) graias.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rmc-O844B9
Value:
"C:\Users\admin\AppData\Roaming\Graias\graias.exe"
(PID) Process:(1632) graias.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9
Operation:writeName:exepath
Value:
CC5FEF9552EC1EE1CA3BDB36C690986FF2B2E57DD255DD98D6B009BE238BB2A65EC6CF309C82F790AEDF715AC62D2BED3E5C1BA5E35DAE395E593108F4CAE62BBA34A03784D9A716090EC614B20CFB5878BAB3DF780D8C080907A7A5D55348D31B9D
(PID) Process:(1632) graias.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9
Operation:writeName:licence
Value:
B0D778D1A0BD5F47A486E88F87A4AD10
(PID) Process:(1632) graias.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9
Operation:writeName:time
Value:
(PID) Process:(1632) graias.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9
Operation:writeName:WD
Value:
1632
(PID) Process:(2276) graias.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9
Operation:delete valueName:WD
Value:
٠
(PID) Process:(1232) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1232) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
273
Text files
81
Unknown types
40

Dropped files

PID
Process
Filename
Type
3048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lrcxdaph.esv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4012powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FA6910AD5F533FA7E5A5D0FE12AE63D7
SHA256:178707EFD541F431C8AE7993C9BB48C664BD2DE120A2C724539AA64FA006C4B3
4012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbepohmf.jwr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kudqgpez.ldj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cdjouwd3.cvf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1932msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1827e6.TMP
MD5:
SHA256:
1932msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rlmbmhmk.qg3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1932msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF182805.TMP
MD5:
SHA256:
1932msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF182805.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
208
TCP/UDP connections
136
DNS requests
105
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6256
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6256
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
GET
302
95.101.149.131:443
https://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
unknown
GET
302
95.101.150.2:443
https://learn.microsoft.com/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
unknown
3760
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:Wa2Z5WqDnO1Fs9jHtBPDPGxHEaVz-eWqzEja19k-YM8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6256
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6256
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6256
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
copilot.microsoft.com
  • 2.16.241.220
  • 2.16.241.224
whitelisted
learn.microsoft.com
  • 95.101.150.2
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4d52393838ad941e2cf63ff7bb4fe2ffdba1bcd051506f097649c97952641ceb.bin.exe