File name:

2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop

Full analysis: https://app.any.run/tasks/12a34bee-4ae8-419e-bd28-83254b3e9c32
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 12:19:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5C8DD54491F1287985FDF7F60735E959

SHA1:

62B99B8FE431CC322D8BE2BE9AEE22D51AB6FC43

SHA256:

5B8DC17D2A58FCB7FCED5119DFAAC96E832C319C71F6D5A3BAA64F03E5AA25F5

SSDEEP:

49152:XFxUhnky7BM7W88988Nt5KBBDhzsf9hS1Sx5F2b35tZOP3E/4VhH3QLBf8XcHZ8j:3Uhnkyi8qDpsVhS1Sx5HPznWnNHqt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 6336)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 3588)
      • hgqscp.exe (PID: 6336)
      • 377149.exe (PID: 7048)
      • 332811.exe (PID: 3048)
      • 762540.exe (PID: 3676)
      • 426699.exe (PID: 1472)
      • 022024.exe (PID: 7172)
      • 159007.exe (PID: 7520)
      • 651536.exe (PID: 7640)
      • 242240.exe (PID: 7720)
      • 397122.exe (PID: 7804)
      • 798835.exe (PID: 7876)
      • 134097.exe (PID: 7948)
      • 269070.exe (PID: 8024)
      • 660694.exe (PID: 8148)
      • 897117.exe (PID: 864)
      • 287730.exe (PID: 6376)
      • 741135.exe (PID: 7524)
      • 911626.exe (PID: 7804)
      • 159509.exe (PID: 7928)
      • 205561.exe (PID: 8028)
      • 533712.exe (PID: 7320)
      • 826542.exe (PID: 8104)
      • 770589.exe (PID: 7184)
      • 401321.exe (PID: 5644)
      • 798319.exe (PID: 3460)
      • 216154.exe (PID: 7572)
      • 823826.exe (PID: 7128)
      • 101623.exe (PID: 7876)
      • 092164.exe (PID: 8068)
      • 730475.exe (PID: 6796)
      • 279962.exe (PID: 1636)
      • 360413.exe (PID: 8136)
      • 516395.exe (PID: 3108)
      • 232082.exe (PID: 3656)
      • 906000.exe (PID: 7084)
      • 388163.exe (PID: 6340)
      • 778877.exe (PID: 7784)
      • 991943.exe (PID: 7928)
      • 547730.exe (PID: 1388)
      • 863792.exe (PID: 7440)
      • 050700.exe (PID: 3832)
      • 146125.exe (PID: 8140)
      • 164857.exe (PID: 5080)
      • 565569.exe (PID: 7828)
      • 833818.exe (PID: 7768)
      • 069790.exe (PID: 6808)
      • 787835.exe (PID: 1040)
      • 337039.exe (PID: 2836)
      • 583211.exe (PID: 8176)
      • 304973.exe (PID: 7928)
      • 173826.exe (PID: 7028)

    • Executable content was dropped or overwritten

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 6336)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)

    • Reads the date of Windows installation

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 3588)

    • Starts itself from another location

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 6336)

    • Application launched itself

      • hgqscp.exe (PID: 3588)
      • 377149.exe (PID: 7048)
      • 332811.exe (PID: 3048)
      • 762540.exe (PID: 3676)
      • 022024.exe (PID: 7172)
      • 159007.exe (PID: 7520)
      • 426699.exe (PID: 1472)
      • 651536.exe (PID: 7640)
      • 242240.exe (PID: 7720)
      • 397122.exe (PID: 7804)
      • 798835.exe (PID: 7876)
      • 134097.exe (PID: 7948)
      • 269070.exe (PID: 8024)
      • 660694.exe (PID: 8148)
      • 741135.exe (PID: 7524)
      • 897117.exe (PID: 864)
      • 287730.exe (PID: 6376)
      • 533712.exe (PID: 7320)
      • 911626.exe (PID: 7804)
      • 159509.exe (PID: 7928)
      • 205561.exe (PID: 8028)
      • 770589.exe (PID: 7184)
      • 826542.exe (PID: 8104)
      • 216154.exe (PID: 7572)
      • 401321.exe (PID: 5644)
      • 798319.exe (PID: 3460)
      • 730475.exe (PID: 6796)
      • 823826.exe (PID: 7128)
      • 101623.exe (PID: 7876)
      • 092164.exe (PID: 8068)
      • 360413.exe (PID: 8136)
      • 279962.exe (PID: 1636)
      • 232082.exe (PID: 3656)
      • 388163.exe (PID: 6340)
      • 516395.exe (PID: 3108)
      • 906000.exe (PID: 7084)
      • 778877.exe (PID: 7784)
      • 991943.exe (PID: 7928)
      • 547730.exe (PID: 1388)
      • 863792.exe (PID: 7440)
      • 146125.exe (PID: 8140)
      • 050700.exe (PID: 3832)
      • 164857.exe (PID: 5080)
      • 565569.exe (PID: 7828)
      • 833818.exe (PID: 7768)
      • 069790.exe (PID: 6808)
      • 787835.exe (PID: 1040)
      • 337039.exe (PID: 2836)
      • 583211.exe (PID: 8176)
      • 304973.exe (PID: 7928)

    • Searches for installed software

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 1472)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1720)

    • Executing commands from a ".bat" file

      • explorer.exe (PID: 1720)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 6336)

  • INFO

    • The sample compiled with chinese language support

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 6336)

    • Reads the computer name

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 3588)
      • 377149.exe (PID: 7048)
      • hgqscp.exe (PID: 6336)
      • 332811.exe (PID: 3048)
      • 762540.exe (PID: 3676)
      • 426699.exe (PID: 1472)
      • 022024.exe (PID: 7172)
      • identity_helper.exe (PID: 7248)
      • 159007.exe (PID: 7520)
      • 242240.exe (PID: 7720)
      • 397122.exe (PID: 7804)
      • 651536.exe (PID: 7640)
      • 798835.exe (PID: 7876)
      • 269070.exe (PID: 8024)
      • 134097.exe (PID: 7948)
      • 660694.exe (PID: 8148)
      • 741135.exe (PID: 7524)
      • 897117.exe (PID: 864)
      • 287730.exe (PID: 6376)
      • 911626.exe (PID: 7804)
      • 159509.exe (PID: 7928)
      • 205561.exe (PID: 8028)
      • 533712.exe (PID: 7320)
      • 770589.exe (PID: 7184)
      • 826542.exe (PID: 8104)
      • 401321.exe (PID: 5644)
      • 798319.exe (PID: 3460)
      • 730475.exe (PID: 6796)
      • 216154.exe (PID: 7572)
      • 823826.exe (PID: 7128)
      • 101623.exe (PID: 7876)
      • 092164.exe (PID: 8068)
      • 360413.exe (PID: 8136)
      • 516395.exe (PID: 3108)
      • 279962.exe (PID: 1636)
      • 906000.exe (PID: 7084)
      • 232082.exe (PID: 3656)
      • 388163.exe (PID: 6340)
      • 778877.exe (PID: 7784)
      • 991943.exe (PID: 7928)
      • 146125.exe (PID: 8140)
      • 547730.exe (PID: 1388)
      • 863792.exe (PID: 7440)
      • 050700.exe (PID: 3832)
      • 164857.exe (PID: 5080)
      • 565569.exe (PID: 7828)
      • 787835.exe (PID: 1040)
      • 069790.exe (PID: 6808)
      • 833818.exe (PID: 7768)
      • 337039.exe (PID: 2836)
      • 583211.exe (PID: 8176)
      • 173826.exe (PID: 7028)
      • 304973.exe (PID: 7928)

    • Reads Environment values

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • identity_helper.exe (PID: 7248)

    • Checks supported languages

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 3588)
      • hgqscp.exe (PID: 6336)
      • 377149.exe (PID: 7048)
      • 377149.exe (PID: 5764)
      • 332811.exe (PID: 3048)
      • 332811.exe (PID: 2132)
      • 762540.exe (PID: 6472)
      • 426699.exe (PID: 1472)
      • 762540.exe (PID: 3676)
      • 426699.exe (PID: 3800)
      • 022024.exe (PID: 7172)
      • identity_helper.exe (PID: 7248)
      • 159007.exe (PID: 7520)
      • 022024.exe (PID: 7272)
      • 159007.exe (PID: 7568)
      • 651536.exe (PID: 7640)
      • 242240.exe (PID: 7720)
      • 651536.exe (PID: 7684)
      • 397122.exe (PID: 7804)
      • 242240.exe (PID: 7768)
      • 397122.exe (PID: 7848)
      • 798835.exe (PID: 7876)
      • 269070.exe (PID: 8024)
      • 134097.exe (PID: 7992)
      • 134097.exe (PID: 7948)
      • 798835.exe (PID: 7920)
      • 269070.exe (PID: 8068)
      • 660694.exe (PID: 8148)
      • 741135.exe (PID: 7524)
      • 660694.exe (PID: 6732)
      • 897117.exe (PID: 7644)
      • 741135.exe (PID: 5960)
      • 897117.exe (PID: 864)
      • 287730.exe (PID: 6376)
      • 287730.exe (PID: 7740)
      • 533712.exe (PID: 7320)
      • 533712.exe (PID: 7832)
      • 911626.exe (PID: 7804)
      • 159509.exe (PID: 7928)
      • 911626.exe (PID: 7892)
      • 159509.exe (PID: 2124)
      • 770589.exe (PID: 7184)
      • 205561.exe (PID: 5560)
      • 770589.exe (PID: 7228)
      • 826542.exe (PID: 8104)
      • 216154.exe (PID: 7572)
      • 826542.exe (PID: 8164)
      • 205561.exe (PID: 8028)
      • 216154.exe (PID: 7104)
      • 401321.exe (PID: 5644)
      • 401321.exe (PID: 7680)
      • 798319.exe (PID: 3460)
      • 798319.exe (PID: 7760)
      • 823826.exe (PID: 7128)
      • 730475.exe (PID: 7300)
      • 823826.exe (PID: 1560)
      • 101623.exe (PID: 7876)
      • 101623.exe (PID: 8036)
      • 092164.exe (PID: 8068)
      • 730475.exe (PID: 6796)
      • 092164.exe (PID: 504)
      • 279962.exe (PID: 1636)
      • 279962.exe (PID: 2040)
      • 360413.exe (PID: 8136)
      • 360413.exe (PID: 7244)
      • 516395.exe (PID: 3108)
      • 516395.exe (PID: 320)
      • 906000.exe (PID: 7084)
      • 906000.exe (PID: 2292)
      • 232082.exe (PID: 3656)
      • 232082.exe (PID: 6756)
      • 388163.exe (PID: 6340)
      • 778877.exe (PID: 7784)
      • 778877.exe (PID: 7824)
      • 991943.exe (PID: 7928)
      • 991943.exe (PID: 8084)
      • 146125.exe (PID: 8140)
      • 388163.exe (PID: 4460)
      • 547730.exe (PID: 1388)
      • 863792.exe (PID: 7440)
      • 863792.exe (PID: 8164)
      • 050700.exe (PID: 3832)
      • 146125.exe (PID: 4444)
      • 547730.exe (PID: 3588)
      • 050700.exe (PID: 7252)
      • 164857.exe (PID: 5080)
      • 565569.exe (PID: 7828)
      • 164857.exe (PID: 7344)
      • 565569.exe (PID: 4680)
      • 787835.exe (PID: 1040)
      • 787835.exe (PID: 6200)
      • 833818.exe (PID: 7768)
      • 833818.exe (PID: 7156)
      • 069790.exe (PID: 6808)
      • 304973.exe (PID: 7928)
      • 069790.exe (PID: 8080)
      • 304973.exe (PID: 8020)
      • 337039.exe (PID: 2836)
      • 337039.exe (PID: 2996)
      • 583211.exe (PID: 8176)
      • 583211.exe (PID: 4984)
      • 173826.exe (PID: 7028)
      • 173826.exe (PID: 2192)

    • Checks proxy server information

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • slui.exe (PID: 7792)

    • Create files in a temporary directory

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 6336)

    • Process checks computer location settings

      • 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe (PID: 6412)
      • hgqscp.exe (PID: 3588)
      • hgqscp.exe (PID: 6336)
      • 377149.exe (PID: 7048)
      • 332811.exe (PID: 3048)
      • 762540.exe (PID: 3676)
      • 022024.exe (PID: 7172)
      • 159007.exe (PID: 7520)
      • 426699.exe (PID: 1472)
      • 651536.exe (PID: 7640)
      • 242240.exe (PID: 7720)
      • 397122.exe (PID: 7804)
      • 798835.exe (PID: 7876)
      • 134097.exe (PID: 7948)
      • 269070.exe (PID: 8024)
      • 660694.exe (PID: 8148)
      • 741135.exe (PID: 7524)
      • 897117.exe (PID: 864)
      • 287730.exe (PID: 6376)
      • 911626.exe (PID: 7804)
      • 159509.exe (PID: 7928)
      • 533712.exe (PID: 7320)
      • 826542.exe (PID: 8104)
      • 770589.exe (PID: 7184)
      • 205561.exe (PID: 8028)
      • 401321.exe (PID: 5644)
      • 798319.exe (PID: 3460)
      • 216154.exe (PID: 7572)
      • 823826.exe (PID: 7128)
      • 101623.exe (PID: 7876)
      • 730475.exe (PID: 6796)
      • 279962.exe (PID: 1636)
      • 360413.exe (PID: 8136)
      • 516395.exe (PID: 3108)
      • 092164.exe (PID: 8068)
      • 906000.exe (PID: 7084)
      • 232082.exe (PID: 3656)
      • 388163.exe (PID: 6340)
      • 778877.exe (PID: 7784)
      • 991943.exe (PID: 7928)
      • 547730.exe (PID: 1388)
      • 863792.exe (PID: 7440)
      • 146125.exe (PID: 8140)
      • 164857.exe (PID: 5080)
      • 565569.exe (PID: 7828)
      • 050700.exe (PID: 3832)
      • 833818.exe (PID: 7768)
      • 069790.exe (PID: 6808)
      • 787835.exe (PID: 1040)
      • 337039.exe (PID: 2836)
      • 583211.exe (PID: 8176)
      • 304973.exe (PID: 7928)
      • 173826.exe (PID: 7028)

    • Reads the machine GUID from the registry

      • hgqscp.exe (PID: 6336)

    • Creates files or folders in the user directory

      • hgqscp.exe (PID: 6336)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1720)

    • Application launched itself

      • msedge.exe (PID: 5252)
      • msedge.exe (PID: 3488)

    • Manual execution by a user

      • msedge.exe (PID: 6372)
      • msedge.exe (PID: 6260)
      • msedge.exe (PID: 7204)

    • Reads the software policy settings

      • slui.exe (PID: 7792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:17 08:34:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 368640
InitializedDataSize: 1241088
UninitializedDataSize: -
EntryPoint: 0x4fd00
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.6.1.1
ProductVersionNumber: 5.6.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 5.6.1.1
FileDescription:
ProductName:
ProductVersion: 5.6.1.1
CompanyName:
LegalCopyright:
Comments: 本程序使用易语言编写(http://www.dywt.com.cn)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
282
Monitored processes
146
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKMOON 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exe hgqscp.exe no specs #BLACKMOON hgqscp.exe 377149.exe no specs 377149.exe no specs 332811.exe no specs 332811.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe explorer.exe no specs cmd.exe no specs conhost.exe no specs 762540.exe no specs 762540.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 426699.exe no specs 426699.exe no specs msedge.exe no specs msedge.exe no specs 022024.exe no specs identity_helper.exe no specs identity_helper.exe no specs 022024.exe no specs msedge.exe no specs msedge.exe no specs 159007.exe no specs 159007.exe no specs msedge.exe no specs 651536.exe no specs 651536.exe no specs 242240.exe no specs 242240.exe no specs 397122.exe no specs 397122.exe no specs 798835.exe no specs 798835.exe no specs 134097.exe no specs 134097.exe no specs 269070.exe no specs 269070.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 660694.exe no specs 660694.exe no specs msedge.exe no specs 741135.exe no specs 741135.exe no specs 897117.exe no specs 897117.exe no specs 287730.exe no specs 287730.exe no specs slui.exe 533712.exe no specs 533712.exe no specs 911626.exe no specs 911626.exe no specs 159509.exe no specs 159509.exe no specs msedge.exe no specs 205561.exe no specs 205561.exe no specs 770589.exe no specs 770589.exe no specs 826542.exe no specs 826542.exe no specs msedge.exe no specs 216154.exe no specs 216154.exe no specs 401321.exe no specs 401321.exe no specs 798319.exe no specs 798319.exe no specs msedge.exe no specs 730475.exe no specs 730475.exe no specs msedge.exe no specs 823826.exe no specs 823826.exe no specs msedge.exe no specs 101623.exe no specs 101623.exe no specs 092164.exe no specs 092164.exe no specs 279962.exe no specs 279962.exe no specs 360413.exe no specs 360413.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 516395.exe no specs 516395.exe no specs msedge.exe no specs 906000.exe no specs 906000.exe no specs 232082.exe no specs 232082.exe no specs 388163.exe no specs 388163.exe no specs 778877.exe no specs 778877.exe no specs msedge.exe no specs 991943.exe no specs 991943.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 146125.exe no specs 146125.exe no specs 547730.exe no specs 547730.exe no specs 863792.exe no specs 863792.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 050700.exe no specs 050700.exe no specs 164857.exe no specs 164857.exe no specs msedge.exe no specs 565569.exe no specs 565569.exe no specs msedge.exe no specs 787835.exe no specs 787835.exe no specs 833818.exe no specs 833818.exe no specs 069790.exe no specs 069790.exe no specs 304973.exe no specs 304973.exe no specs 337039.exe no specs 337039.exe no specs 583211.exe no specs 583211.exe no specs 173826.exe no specs 173826.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Users\admin\AppData\Roaming\Download\516395.exe" C:\Users\admin\AppData\Roaming\Download\516395.exe516395.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\516395.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
480"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6412,i,16238438444981068306,11645366201417151271,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
504"C:\Users\admin\AppData\Roaming\Download\092164.exe" C:\Users\admin\AppData\Roaming\Download\092164.exe092164.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\092164.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=7156,i,16238438444981068306,11645366201417151271,262144 --variations-seed-version --mojo-platform-channel-handle=7688 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
760"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4220,i,16238438444981068306,11645366201417151271,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Users\admin\AppData\Roaming\Download\897117.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\897117.exehgqscp.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\897117.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1040"C:\Users\admin\AppData\Roaming\Download\787835.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\787835.exehgqscp.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\787835.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2252,i,16238438444981068306,11645366201417151271,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1388"C:\Users\admin\AppData\Roaming\Download\547730.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\547730.exehgqscp.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\547730.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
34 201
Read events
34 141
Write events
60
Delete events
0

Modification events

(PID) Process:(6412) 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(6412) 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6412) 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6412) 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6412) 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3588) hgqscp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3588) hgqscp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3588) hgqscp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3588) hgqscp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6412) 2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
63
Suspicious files
225
Text files
61
Unknown types
1

Dropped files

PID
Process
Filename
Type
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:CDDDC745A8C954DC438C931889999BDB
SHA256:3DC9043838386F5363AC96A01477CF3163B5118B80191576A11B32CE9894314C
6336hgqscp.exeC:\Users\admin\AppData\Local\Temp\3771494094\....\TemporaryFileexecutable
MD5:5C8DD54491F1287985FDF7F60735E959
SHA256:5B8DC17D2A58FCB7FCED5119DFAAC96E832C319C71F6D5A3BAA64F03E5AA25F5
64122025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeC:\Users\admin\AppData\Local\Temp\hgqscp.exeexecutable
MD5:5C8DD54491F1287985FDF7F60735E959
SHA256:5B8DC17D2A58FCB7FCED5119DFAAC96E832C319C71F6D5A3BAA64F03E5AA25F5
64122025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop.exeC:\Users\admin\AppData\Local\Temp\ldsajdklsajdlkjsalkda.battext
MD5:8D429A42926EE993FD964B694D838812
SHA256:20CEFB599F8C1ACAED3C65CE14B8ADB23F0FFDD0EB65A511DC614AA74CEE02DD
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF178c42.TMP
MD5:
SHA256:
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF178c42.TMP
MD5:
SHA256:
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF178c61.TMP
MD5:
SHA256:
3488msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
386
TCP/UDP connections
265
DNS requests
252
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2368
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2368
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0
unknown
binary
1.47 Kb
whitelisted
GET
200
92.123.104.53:443
https://copilot.microsoft.com/c/api/user/eligibility
unknown
binary
25 b
whitelisted
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
564 b
whitelisted
1132
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:wzTeOoDiBjYvuHnu9DJskG8Pt8qaxasdsMZm-be6zdU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
GET
106.63.24.67:443
https://hao.360.com/?src=lm&ls=n6abbbb598c
unknown
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750508360&lafgdate=0
unknown
binary
13.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2368
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2368
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2368
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
dt.hebchengjiu.com
unknown
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
hao.360.cn
  • 101.198.2.134
whitelisted
copilot.microsoft.com
  • 92.123.104.53
  • 92.123.104.45
whitelisted
hao.360.com
  • 106.63.24.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_5c8dd54491f1287985fdf7f60735e959_elex_icedid_stop