File name:

clippy_1.3.0_x64-setup.exe

Full analysis: https://app.any.run/tasks/d0855929-4e96-4f43-9514-07e6ecdf0c79
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 24, 2024, 05:57:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

CF493A5FFB852D73BCC8CE2478804C44

SHA1:

247BCFECE446020DF2D837B37303E47A65D90D5F

SHA256:

62664A92E755674CD4E3105FD8B0B5DE29C05E5A33A4054406101648BE113CCA

SSDEEP:

98304:bJ8cJt8G0XQs/tVXKhdYrS/udokPso0Ze9O3kMDliiUs7s8um8js7ei/Ackkwz9r:boizmlDvi/dCkE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 624)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 4360)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4136)
      • MicrosoftEdgeUpdate.exe (PID: 624)
      • setup.exe (PID: 1668)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1864)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • clippy_1.3.0_x64-setup.exe (PID: 5544)

    • Searches for installed software

      • clippy_1.3.0_x64-setup.exe (PID: 5544)

    • The process creates files with name similar to system file names

      • clippy_1.3.0_x64-setup.exe (PID: 5544)

    • Process drops legitimate windows executable

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4136)
      • MicrosoftEdgeUpdate.exe (PID: 624)
      • setup.exe (PID: 1668)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1864)

    • Process requests binary or script from the Internet

      • clippy_1.3.0_x64-setup.exe (PID: 5544)

    • Potential Corporate Privacy Violation

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • svchost.exe (PID: 3836)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 4136)
      • MicrosoftEdgeUpdate.exe (PID: 624)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 624)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3080)
      • MicrosoftEdgeUpdate.exe (PID: 4624)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6004)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6056)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 624)
      • MicrosoftEdgeUpdate.exe (PID: 3172)
      • msedgewebview2.exe (PID: 3988)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 3172)

    • Application launched itself

      • setup.exe (PID: 1668)
      • MicrosoftEdgeUpdate.exe (PID: 3172)
      • msedgewebview2.exe (PID: 3988)

    • Creates a software uninstall entry

      • clippy_1.3.0_x64-setup.exe (PID: 5544)

    • Uses REG/REGEDIT.EXE to modify registry

      • clippy.exe (PID: 6096)

    • Starts POWERSHELL.EXE for commands execution

      • clippy.exe (PID: 6096)

  • INFO

    • The sample compiled with english language support

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4136)
      • MicrosoftEdgeUpdate.exe (PID: 624)
      • svchost.exe (PID: 3836)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1864)
      • setup.exe (PID: 1668)

    • Checks supported languages

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4136)
      • MicrosoftEdgeUpdate.exe (PID: 624)
      • MicrosoftEdgeUpdate.exe (PID: 4624)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6004)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6056)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3080)
      • MicrosoftEdgeUpdate.exe (PID: 1760)
      • MicrosoftEdgeUpdate.exe (PID: 6076)
      • MicrosoftEdgeUpdate.exe (PID: 3172)
      • setup.exe (PID: 1668)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1864)
      • clippy.exe (PID: 6096)
      • setup.exe (PID: 5400)
      • MicrosoftEdgeUpdate.exe (PID: 848)
      • msedgewebview2.exe (PID: 3988)
      • msedgewebview2.exe (PID: 1304)
      • msedgewebview2.exe (PID: 5856)
      • msedgewebview2.exe (PID: 4360)
      • msedgewebview2.exe (PID: 3552)
      • msedgewebview2.exe (PID: 5028)

    • Checks proxy server information

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeUpdate.exe (PID: 1760)
      • MicrosoftEdgeUpdate.exe (PID: 3172)
      • msedgewebview2.exe (PID: 3988)

    • Reads the computer name

      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeUpdate.exe (PID: 4624)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3080)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6004)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6056)
      • MicrosoftEdgeUpdate.exe (PID: 624)
      • MicrosoftEdgeUpdate.exe (PID: 1760)
      • MicrosoftEdgeUpdate.exe (PID: 3172)
      • MicrosoftEdgeUpdate.exe (PID: 6076)
      • setup.exe (PID: 1668)
      • clippy.exe (PID: 6096)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1864)
      • MicrosoftEdgeUpdate.exe (PID: 848)
      • msedgewebview2.exe (PID: 3988)
      • msedgewebview2.exe (PID: 4360)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 4136)
      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdgeUpdate.exe (PID: 624)
      • svchost.exe (PID: 3836)
      • msedgewebview2.exe (PID: 3988)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 624)
      • MicrosoftEdgeUpdate.exe (PID: 3172)
      • clippy_1.3.0_x64-setup.exe (PID: 5544)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1864)
      • setup.exe (PID: 5400)
      • setup.exe (PID: 1668)
      • msedgewebview2.exe (PID: 1304)
      • msedgewebview2.exe (PID: 3988)
      • clippy.exe (PID: 6096)
      • msedgewebview2.exe (PID: 5856)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1760)
      • MicrosoftEdgeUpdate.exe (PID: 848)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 624)
      • setup.exe (PID: 1668)
      • msedgewebview2.exe (PID: 3988)
      • msedgewebview2.exe (PID: 5028)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1760)
      • MicrosoftEdgeUpdate.exe (PID: 3172)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 1760)
      • MicrosoftEdgeUpdate.exe (PID: 3172)

    • Manual execution by a user

      • clippy.exe (PID: 6096)

    • Sends debugging messages

      • msedgewebview2.exe (PID: 3988)
      • clippy.exe (PID: 6096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (52.5)
.scr | Windows screen saver (22)
.dll | Win32 Dynamic Link Library (generic) (11)
.exe | Win32 Executable (generic) (7.5)
.exe | Generic Win/DOS Executable (3.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: clippy
FileVersion: 1.3.0
LegalCopyright: -
ProductName: clippy
ProductVersion: 1.3.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
28
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start clippy_1.3.0_x64-setup.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe microsoftedge_x64_131.0.2903.112.exe setup.exe setup.exe no specs microsoftedgeupdate.exe clippy.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624C:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\temp\eu8ec6.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
776"reg" query "HKCU\Keyboard Layout\Preload"C:\Windows\System32\reg.execlippy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
848"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MzA3RDI3RTAtMUYwMy00N0FCLUFBNUUtNUZDN0NFMzBGODgzfSIgdXNlcmlkPSJ7MDA5RUIyRTctRTBBRC00RkRBLUJGMkItMjFGQjNDMzEzNEFEfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszMTM3QzM5MC1FM0IxLTQ0NUQtQjVEQy05MTA3N0VGMDM1Rjd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDtzemxOQkp1OXlEc3pmazlCUWdobWhFMmJCN00yekcvQzFCWjh5QS9rWWI0PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjExMiIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjg1NzMzNzg1OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyODU3MzM3ODU5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM0MTEwODc4NDciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzdkOWNkOTNjLTFkNWUtNDQ5Yi05YWQ3LWYxZThkNmI5MDUwOT9QMT0xNzM1NjI0NjkyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUVoTDdSck10T29mVHA4cnJrYXJSV0pBaWI2b2MzZ0hmOUNYcGRwaTlpWUp5bk5JbnJlaDFRViUyZk05SEFXJTJmNXR2OCUyYjF3Y1hKSDlRRExyV1Z5c3BrJTJiakElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzY4NzA5NzYiIHRvdGFsPSIxNzY4NzA5NzYiIGRvd25sb2FkX3RpbWVfbXM9IjUxNTE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM0MTEyNDQ2MjEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzQzMDYxODgxMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM3Nzk4MzQwODUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNTYyIiBkb3dubG9hZF90aW1lX21zPSI1NTM3NSIgZG93bmxvYWRlZD0iMTc2ODcwOTc2IiB0b3RhbD0iMTc2ODcwOTc2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIzNDkyMiIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
900"powershell" -Command (Get-Culture).TwoLetterISOLanguageNameC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execlippy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1304C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\clippy\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\clippy\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=131.0.2903.112 --initial-client-data=0x1a0,0x1a4,0x1a8,0x17c,0x1b0,0x7ff8210b6070,0x7ff8210b607c,0x7ff8210b6088C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.112\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Version:
131.0.2903.112
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.112\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.112\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1668"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{8AD150F7-CC7E-4B59-8A0A-D2E24DC01BD6}\EDGEMITMP_969DB.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{8AD150F7-CC7E-4B59-8A0A-D2E24DC01BD6}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{8AD150F7-CC7E-4B59-8A0A-D2E24DC01BD6}\EDGEMITMP_969DB.tmp\setup.exe
MicrosoftEdge_X64_131.0.2903.112.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.112
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{8ad150f7-cc7e-4b59-8a0a-d2e24dc01bd6}\edgemitmp_969db.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
1760"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MzA3RDI3RTAtMUYwMy00N0FCLUFBNUUtNUZDN0NFMzBGODgzfSIgdXNlcmlkPSJ7MDA5RUIyRTctRTBBRC00RkRBLUJGMkItMjFGQjNDMzEzNEFEfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNUNGNEM1OC1ERDE5LTQ4NTUtOUE3QS03MDRBMzNFNDcyMDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI4MzU2MTQ5MDAiIGluc3RhbGxfdGltZV9tcz0iNjEwIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1864"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{8AD150F7-CC7E-4B59-8A0A-D2E24DC01BD6}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{8AD150F7-CC7E-4B59-8A0A-D2E24DC01BD6}\MicrosoftEdge_X64_131.0.2903.112.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.112
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{8ad150f7-cc7e-4b59-8a0a-d2e24dc01bd6}\microsoftedge_x64_131.0.2903.112.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3080"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
27 625
Read events
24 798
Write events
2 759
Delete events
68

Modification events

(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:path
Value:
C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:UninstallCmdLine
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.195.43
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:name
Value:
Microsoft Edge Update
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.195.43
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft Edge Update
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateCore.exe"
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:edgeupdate_task_name_c
Value:
MicrosoftEdgeUpdateTaskUserS-1-5-21-1693682860-607145093-2874071422-1001Core{7E2D46DC-17DE-4349-9CDB-EB67341F6C20}
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(624) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:edgeupdate_task_name_ua
Value:
MicrosoftEdgeUpdateTaskUserS-1-5-21-1693682860-607145093-2874071422-1001UA{AFE54A5B-3600-45BB-BE26-71E468268F3C}
(PID) Process:(4624) MicrosoftEdgeUpdate.exeKey:HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
Executable files
211
Suspicious files
108
Text files
38
Unknown types
21

Dropped files

PID
Process
Filename
Type
5544clippy_1.3.0_x64-setup.exeC:\Users\admin\AppData\Local\Temp\nse61DC.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
5544clippy_1.3.0_x64-setup.exeC:\Users\admin\AppData\Local\Temp\nse61DC.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
5544clippy_1.3.0_x64-setup.exeC:\Users\admin\AppData\Local\Temp\nse61DC.tmp\NSISdl.dllexecutable
MD5:EE68463FED225C5C98D800BDBD205598
SHA256:419485A096BC7D95F872ED1B9B7B5C537231183D710363BEEE4D235BB79DBE04
5544clippy_1.3.0_x64-setup.exeC:\Users\admin\AppData\Local\Temp\nse61DC.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
5544clippy_1.3.0_x64-setup.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:B49D269A231BCF719D6DE10F6DCF0692
SHA256:BDE514014B95C447301D9060A221EFB439C3C1F5DB53415F080D4419DB75B27E
4136MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\msedgeupdate.dllexecutable
MD5:40CD707DD3011A9845FF9C42256EA7E3
SHA256:9F4C7072716E0BE1BE08207A7024A5E41162E288E677D805BE8E5469A8BD4909
4136MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\psuser_arm64.dllexecutable
MD5:468C6DAED548F7D1D446F84ABCE85BBA
SHA256:01E37D6A07318D67CE22A898B52E3EED6AE990520303D2E36446B34255D298B0
4136MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\psuser.dllexecutable
MD5:4D098B6708E7541822F5D86850123184
SHA256:268A400839417FB510D79DD0B6ED665AFD27493963F9DD36A306D14180BEA872
4136MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\NOTICE.TXTtext
MD5:6DD5BF0743F2366A0BDD37E302783BCD
SHA256:91D3FC490565DED7621FF5198960E501B6DB857D5DD45AF2FE7C3ECD141145F5
4136MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EU8EC6.tmp\psmachine_64.dllexecutable
MD5:886D71AA7EA1C34644AA759FB5A09B5F
SHA256:95D1B924759B36FBD2A20682E919392D64DC8C1B153F909F921DA7E57825A04C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
29
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2632
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5544
clippy_1.3.0_x64-setup.exe
GET
301
184.30.17.189:80
http://go.microsoft.com/fwlink/p/?LinkId=2124703
unknown
whitelisted
2632
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5544
clippy_1.3.0_x64-setup.exe
GET
200
23.48.23.14:80
http://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/c1336fd6-a2eb-4669-9b03-949fc70ace0e/MicrosoftEdgeWebview2Setup.exe
unknown
whitelisted
3836
svchost.exe
HEAD
200
217.20.57.19:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735624692&P2=404&P3=2&P4=EhL7RrMtOofTp8rrkarRWJAib6oc3gHf9CXpdpi9iYJynNInreh1QV%2fM9HAW%2f5tv8%2b1wcXJH9QDLrWVyspk%2bjA%3d%3d
unknown
whitelisted
POST
200
172.169.87.222:443
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/131.0.2903.112/files?action=GenerateDownloadInfo&foregroundPriority=true
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.43?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.43&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.43&requestOmahaVersion=1.3.195.43
unknown
binary
484 b
whitelisted
POST
200
172.169.87.222:443
https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates
unknown
text
104 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2632
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2632
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2632
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2632
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.26
  • 23.216.77.30
  • 23.216.77.22
  • 23.216.77.15
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 23.48.23.14
  • 23.48.23.55
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 4.245.161.190
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 217.20.57.19
  • 84.201.210.39
  • 217.20.57.18
  • 217.20.57.35
  • 217.20.57.34
  • 217.20.57.36
  • 84.201.210.23
  • 217.20.57.20
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.161
  • 104.126.37.152
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.146
  • 104.126.37.137
  • 104.126.37.136
whitelisted

Threats

PID
Process
Class
Message
5544
clippy_1.3.0_x64-setup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3836
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4 ETPRO signatures available at the full report
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\clippy directory exists )
clippy.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
clippy.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
clippy_1.3.0_x64-setup.exe