File name:

launcher.exe

Full analysis: https://app.any.run/tasks/4d4bb062-7605-4fa9-a216-74db1e7bf4bc
Verdict: Malicious activity
Analysis date: May 02, 2024, 16:25:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
qrcode
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

D70004D74AF0A01D82F1521B0D23AE60

SHA1:

4B6A23592B1E96BB869C1130DCBC86FF0FDF26F3

SHA256:

6BABCC36F396892A5D72D17FE1898F6DFB7AE9D0552908301D0C9DA28D21A56D

SSDEEP:

98304:vHk1/0z8X8hArRKGE/1B7D1o1TEGGDq41nyqLr4rQEmtFy9uPbOj5nqsp+5Rba4M:g0z8X8hArcToK8BdF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • launcher.exe (PID: 6040)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • 7z.exe (PID: 1556)
      • launcher.exe (PID: 1332)

  • SUSPICIOUS

    • Executes application which crashes

      • launcher.exe (PID: 636)
      • launcher.exe (PID: 3260)
      • launcher.exe (PID: 1752)

    • Searches for installed software

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)

    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 5212)

    • Creates a software uninstall entry

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)

    • Get information on the list of running processes

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)

    • Executable content was dropped or overwritten

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • 7z.exe (PID: 1556)
      • launcher.exe (PID: 1332)

    • Drops 7-zip archiver for unpacking

      • 7z.exe (PID: 1556)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 1556)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 1556)

    • Drops a system driver (possible attempt to evade defenses)

      • launcher.exe (PID: 1332)

  • INFO

    • Checks supported languages

      • launcher.exe (PID: 636)
      • launcher.exe (PID: 3260)
      • launcher.exe (PID: 1752)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • TextInputHost.exe (PID: 5212)
      • identity_helper.exe (PID: 2336)
      • launcher.exe (PID: 1332)
      • 7z.exe (PID: 1556)
      • 7z.exe (PID: 3796)
      • QtWebEngineProcess.exe (PID: 1372)
      • crashreport.exe (PID: 7008)

    • Manual execution by a user

      • launcher.exe (PID: 4744)
      • launcher.exe (PID: 636)
      • launcher.exe (PID: 2944)
      • launcher.exe (PID: 944)
      • launcher.exe (PID: 6092)
      • launcher.exe (PID: 3260)
      • launcher.exe (PID: 3604)
      • launcher.exe (PID: 1752)
      • msedge.exe (PID: 4104)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 6372)

    • Reads the computer name

      • launcher.exe (PID: 636)
      • launcher.exe (PID: 3260)
      • launcher.exe (PID: 1752)
      • identity_helper.exe (PID: 2336)
      • TextInputHost.exe (PID: 5212)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)
      • 7z.exe (PID: 1556)
      • 7z.exe (PID: 3796)
      • crashreport.exe (PID: 7008)

    • Checks proxy server information

      • WerFault.exe (PID: 3980)
      • WerFault.exe (PID: 5920)
      • WerFault.exe (PID: 3960)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)
      • crashreport.exe (PID: 7008)

    • Reads the software policy settings

      • WerFault.exe (PID: 3980)
      • WerFault.exe (PID: 5920)
      • WerFault.exe (PID: 3960)
      • launcher.exe (PID: 1332)
      • crashreport.exe (PID: 7008)

    • Application launched itself

      • msedge.exe (PID: 4104)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4104)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 4104)

    • The process uses the downloaded file

      • msedge.exe (PID: 876)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)

    • Create files in a temporary directory

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)

    • Reads the machine GUID from the registry

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)
      • crashreport.exe (PID: 7008)

    • Creates files in the program directory

      • 7z.exe (PID: 1556)
      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)
      • crashreport.exe (PID: 7008)

    • Reads CPU info

      • GenshinImpact_install_ua_8f720265818b.exe (PID: 7052)
      • launcher.exe (PID: 1332)

    • Creates files or folders in the user directory

      • launcher.exe (PID: 1332)

    • Reads Environment values

      • launcher.exe (PID: 1332)
      • crashreport.exe (PID: 7008)

    • Reads product name

      • launcher.exe (PID: 1332)
      • crashreport.exe (PID: 7008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:03:12 07:32:59+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 1794048
InitializedDataSize: 2893824
UninitializedDataSize: -
EntryPoint: 0x1a1894
OSVersion: 6
ImageVersion: 2.33
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.33.5.0
ProductVersionNumber: 2.33.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: HoYoverse
FileDescription: Genshin Impact
FileVersion: 2.33.5.0
LegalCopyright: ©COGNOSPHERE
OriginalFileName: launcher.exe
ProductName: Genshin Impact
ProductVersion: 2.33.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
229
Monitored processes
106
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start launcher.exe filecoauth.exe no specs launcher.exe no specs launcher.exe launcher.exe no specs launcher.exe werfault.exe launcher.exe no specs launcher.exe werfault.exe launcher.exe no specs launcher.exe werfault.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs textinputhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs filecoauth.exe no specs msedge.exe no specs genshinimpact_install_ua_8f720265818b.exe no specs genshinimpact_install_ua_8f720265818b.exe tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs 7z.exe no specs conhost.exe no specs 7z.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs launcher.exe qtwebengineprocess.exe no specs crashreport.exe conhost.exe no specs tasklist.exe no specs conhost.exe no specs msedge.exe no specs launcher.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
428"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=price_comparison_service.mojom.DataProcessor --lang=en-US --service-sandbox-type=entity_extraction --no-appcompat-clear --mojo-platform-channel-handle=5376 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
468"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3848 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
612"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5604 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7496 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
636"C:\Users\admin\Desktop\launcher.exe" C:\Users\admin\Desktop\launcher.exe
explorer.exe
User:
admin
Company:
HoYoverse
Integrity Level:
HIGH
Description:
Genshin Impact
Exit code:
3221226505
Version:
2.33.5.0
Modules
Images
c:\users\admin\desktop\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\users\admin\desktop\mhyqtcommon.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
824"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4304 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
860"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7256 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
876"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6304 --field-trial-handle=2308,i,6643196400446976653,6603021031769617096,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
944"C:\Users\admin\Desktop\launcher.exe" C:\Users\admin\Desktop\launcher.exe
explorer.exe
User:
admin
Company:
HoYoverse
Integrity Level:
HIGH
Description:
Genshin Impact
Exit code:
3221225781
Version:
2.33.5.0
Modules
Images
c:\users\admin\desktop\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
972tasklist /FI "imagename eq GenshinImpact.exe"C:\Windows\System32\tasklist.exelauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
40 439
Read events
40 250
Write events
168
Delete events
21

Modification events

(PID) Process:(3980) WerFault.exeKey:\REGISTRY\A\{8a41be87-41f3-abc7-7361-f278e2c8380d}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(3980) WerFault.exeKey:\REGISTRY\A\{8a41be87-41f3-abc7-7361-f278e2c8380d}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(3980) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\FIDs
Operation:delete valueName:AllFlights
Value:
(PID) Process:(3980) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:writeName:0018800D2FF2EB83
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000A8C0A4896435E34C9CB22836CB7BC9D900000000020000000000106600000001000020000000399615F45838F3F58A2D5091C806A26E25D93C3CA0956CAA4E5FC7DDE1318FE8000000000E8000000002000020000000C7DAAB26FC2914890A6EC28ADDD63CD217669E8D1A32923C138171C301D4C08E80000000BD894E6DF1E06C2E8546D9A40B680AC3604CE644F883072C25771624EDBADB03056F11BAC829AE1B13269B3926B7B7766362DD8F074F4D82754D3FA7A47C72B2F3E3C2730CC8E1776D868A60907A0773B1C1BF6FBE490A71EF3836E36B12FF297CF2F96D39FE19DAB944C9891534CE3177A0C58A194A2387AE8AC3963C85C4834000000073BDC801D93343942773F8DF120796D24BFF0BA25772666BED46F50B41A1A8721C9818B711FEF44292E30B842FA724968AC8002DAF25C112742624C938B32E3D
(PID) Process:(3980) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceTicket
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000A8C0A4896435E34C9CB22836CB7BC9D900000000020000000000106600000001000020000000192B41494FEFE527E767BAEB8F3CCA94AF6463EC5D8503E8985A9B32AD998366000000000E80000000020000200000007440C0266DD602282CCA0762691FF11C6DE80120A18FBDA2811E10D7843401F11008000018947D6E32B7C889BD1594509474E8AFB7350CC6196EA6696C34DADEF8A1FBCCA24D7EC60B4A81819CC502772DB0157DFAE1C3F9CBA31F987AE1741EFD247980920683576F2014926B117B3F967D43E503C4199FF64F5454A068B2448C40F9CEC32AD9704DF197BB9502EFBACA2FB25D790EEBA8594A98AFC09F8075C3838F7DE12A1AA5A3D81F11ECB8FBB05B3CD9ACCF519AB551AA19FFF94C9B047267451A21533785771AB6DE26E56457D4344A8B67BB6448B2A954BA5AE7242BCAB3FED6B69F7BF1AF6BAE6E7D4A67ACA8D1A802F84D84C561A9399D3C01513BD1A2E5CD622264DB43DD75B6A8171E02D0AD1CFFCD1A7E7B9666FE982A9ABA197235E049EA29A70B83014A9EE5FB4B2F01D3C86C139A18604C1AFA99C8A5DCCB025675AF595FC4E77AB1B92737AFD1500AD42016425DC8F9BFBCDFE80D7B4D3DD63807EF77F48CE457785223C3BE368DDB74E7A70F03D26C320C785CDF07307DED90B257D795D1AB2559A6AC8A038F8CBCB1C9AA0D55AB7F841E8FB4A8090FA5DC33C378DE86E4BDE8966D27F6BE467BF4F20BC7BDDD0A2D352C9F4C1416193458FD3F537269CBA446F9024308C21E1B68A3CEE94CF6EB0B06BB85020A5D9A8BEF7FAE4F5F547C321088837105F8C464585D587E5237DA0D1F0EF1C55EA7C6B6CD03E7AF00714B732817078F3D69EAF1F3916172BDE2269E14B4BC7E83CB3FE8EBA95528D3FE7008633C9248838AEE2DD90E4BD2F770887B8736DF91ADD8037A7680AFBCF5283EE8469C4A7247350912F28929941FA282890031E0386EAE6CFB9573818B3B22B631B52F02AD9A57E23B71C81CF76E1BC20F623BD65096329039A3F64B728FFAB574975428B302AE0355A501B1734333F17480E338A7AA3B5D27CDBAD1CF4F341B58554688581AB63B6D0A46E4714BA0062F42B9049895A7B168CE6B5DF6827976F16B68091E6E997D9844631997E7223E039A8A7B18CD32B16D90009AA05877CE7E25EF06791D687CA1E039CF29E6F4FEABE2A2902350A162A317AF9628D42A57E3F4C53DE0AE3C838A6C5ACD999303E93CE564BD131989120AFE7B4EF7E351F3B0F1AAE96F8083447C8FFBE646ACA184122F610AEEDEF7750CCE911671D2DA6F394DFF29F9D5B6A402B9FA075070389C18C382E6BC1F23648EE4DF815766F913A002592D886023BE1A865DCCE950BE28DD917A4DC5639C4FBA15AE294DC4D871FBFEF3C208C69D95076AA95F9D1F716D717513B7286A76DF61F06230EFF03D768EDC5971A4E29022C511B4BA16A7966206D94D8602ACEED58698C156619A2BB16896DA08BF3507BA44077A43AFC38F381698A8F030D120D4FE8602993C54AED2F7980994AD8A7586653BE760E2B4EDCB4C336F62C89E14C0F4CB1D91027329096089CA6368C699F6F49E24C2CF9BBDF19A84838B1CBF424AFF0876CF45F131E96C823FBFA1F5E41CA8A2AACDA8C50044C6623766D74724F05138BC8910B6A8F9F6D85D050B9E357785808872C20D8400A5A776D7747C598A3C23B23BF431C42E52FF65B37D416B20D1E05345687AA1251141C70B96E1885D223ABAB1F70A38B5D1835842660C25A1769A2E24574A9C2DABADAD8FF06D460AAA1A048E55943875AE7C7EE9679C014930CFF278DDBEABC3A1418142DCD387919FE682FB43C7DBBA50FE4ACED7F058844A727A451A0140622C042A7D30D8D12DEDD995D3CEBF85230E84F0CF033F561D94006071B3735C0419113C82998E4A95D7900A9235AABE3B72DB2DD4BEE0002C481AADD25F718F5255AC485AE738FE9538717486ADC4442F91F880B37BE83AAFF9E1E159FC85C967BDB572A730B057F5B77F68652F26CBF35EBB1F68C5462D419C2F5D5DE96110C77E56CDE4A1D045E34DF2154019E9063856EFA010FBF3C6FF00B64D9F58DFAE18D49F425A0BAD6CA4196CA23563A5099C7ABAF8AF6A2975D5B94B70AD76B1BE65CB5A7708EA263FC7AD438948BAA958E6B5B893A90C577D83ABE33E49714CBB736CFFB2CD3D99F3C03065D92BE63D2975ECA6854D517A3A93533E200CA6D5D34A864018DC80E4E19A92CCEDCAFCE86C01574CE927F5A24AD0D38C9568E6D2F2AF205B7E0F93B4F686E1C894D16947EE8E75A5D7C8368E4615481CC95926B41A6781CB2097323BF571B9BA599B59A6A6DB03A2F3BC80C86DC27BAC1CC29CEA1522FFF07C8F9D39704DE88C33135D07CAF7B59F693DD9947C4820CABEAC404F75FC3A92FBD7BF29FF9109569E4F34DA5F50AF547430FEF28032A46DD40AA9B63C81DA9FAE2A5676FB0359752B65144F4A1F0F807B52D745F9D12BD0C334506368AE816EBDAABE96AFBE4D2CAD588CEECDEE73420836333383D139CC9C404ADA4BB23C18A5681EA65F3C8147C15A416CB19C0EE8CEE2FB899D25EF9E6974F72716B9457D0FD0804DEFF33BB299F869539DBA3FD1734C55B54D52741CA5E99AA65DBA65E383814485554B0D2E10DD5CBC511D3275EA12FFAC2CC9951118293E1536CE7CCBCC9D9885C46AD51669086DBE0706076D570FFF9CDE5A67DF3EF17DB38408697AF2EE6050FA4C0CEF98F2D2DF67E5C592310C8C728178656EDE164B5F72BD871555875FD5D8534BFC8B2FE585D3E3E5DDB0DD550D6BEFCEA9040C36A548E7FA83A360AAEEC965A203AE731FA29941D0CA67AAA31C6608E6259FE4838AB008CCEEF4C86AA2F512460C2ACC913028C481A48DD6D571128B8D741D38CE72C8824D165E06ACAC08F762AFC44F07E18509DE4219E62F3451DA823396C0CC16714967667CC43449B1CDD1AE5C59469B7F0A1F089662B7BF135BD26BCC393FDD5234ED9BAE119E815AEDCCFB905CFF9E878AC31394A335ABF81701CFA6B045D0C62C0A998FE39ABF577AC55E2CDA2DA9E79E73A72ACB1CF966626EC964C8E840000000B54090C6007E4BCE0883FA70C569A9C444C26F04EE787F86E2A5C51C912117E72CB1CF794CE63BEEA497D074A642B0FCCC216D6998CEB17B26B89F1EE76169F0
(PID) Process:(3980) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceId
Value:
0018800D2FF2EB83
(PID) Process:(3980) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:ApplicationFlags
Value:
1
(PID) Process:(5920) WerFault.exeKey:\REGISTRY\A\{8a41be87-41f3-abc7-7361-f278e2c8380d}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(5920) WerFault.exeKey:\REGISTRY\A\{8a41be87-41f3-abc7-7361-f278e2c8380d}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(5920) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\FIDs
Operation:delete valueName:AllFlights
Value:
Executable files
176
Suspicious files
1 039
Text files
284
Unknown types
428

Dropped files

PID
Process
Filename
Type
3980WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_launcher.exe_Gen_23cab470b77a33a28cda2bcd3817c9bee84ede_742f48ab_4c5d0d67-8f79-4616-a013-1e99433220e0\Report.wer
MD5:
SHA256:
5920WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_launcher.exe_Gen_23cab470b77a33a28cda2bcd3817c9bee84ede_742f48ab_21d74e01-c59a-4664-9ca8-15d9acf9ea84\Report.wer
MD5:
SHA256:
3960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_launcher.exe_Gen_23cab470b77a33a28cda2bcd3817c9bee84ede_742f48ab_f5a6dd50-c911-432a-88b0-b440d3bb9a45\Report.wer
MD5:
SHA256:
4104msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-6633C051-1008.pma
MD5:
SHA256:
5784FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-02.1626.5784.1.odlbinary
MD5:5BB7E16624078272D27275AA5D5E3D68
SHA256:8D52A3EDE5574C771DA8B2C3C801C666AA5E2600C1305333D8E2826799D4EFD8
4104msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF18845e.TMP
MD5:
SHA256:
4104msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF18845e.TMP
MD5:
SHA256:
4104msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF18845e.TMP
MD5:
SHA256:
4104msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4104msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
298
DNS requests
256
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4264
SIHClient.exe
GET
200
23.32.110.52:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
HEAD
200
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8456af18-d02e-4d2d-a6dc-211817a8bed3?P1=1714827630&P2=404&P3=2&P4=QMifzhsti%2bY1P2eLDW5XspK%2fiO0QX%2f8521fghBojCUg3sBsDat0wANoMazlhCW%2fxWCpvVw3Wlpb3grj165hSAw%3d%3d
unknown
unknown
4924
svchost.exe
GET
206
23.58.120.233:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2135bc6b-a3ff-466d-9f49-24f84965e4d6?P1=1715031683&P2=404&P3=2&P4=npOeg%2bK1i1P%2f1N2M0DZqlx6onxZMs3ng8yxGyxmNh76seFyQeP6BnhjkNbW5n%2bbPT0BPOHb1grwuOQdsc%2b9obQ%3d%3d
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4416
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3052
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2032
svchost.exe
23.32.109.224:443
go.microsoft.com
AKAMAI-AS
SE
unknown
4264
SIHClient.exe
40.68.123.157:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4264
SIHClient.exe
23.32.110.52:80
www.microsoft.com
AKAMAI-AS
SE
unknown
4264
SIHClient.exe
23.65.124.25:80
crl.microsoft.com
Akamai International B.V.
IN
unknown
4264
SIHClient.exe
13.95.31.18:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2900
svchost.exe
20.42.73.30:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2900
svchost.exe
23.32.110.52:80
www.microsoft.com
AKAMAI-AS
SE
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.2
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.67
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.32.134
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.74
  • 40.126.32.76
  • 40.126.32.72
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
go.microsoft.com
  • 23.32.109.224
  • 23.211.6.73
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 23.32.110.52
  • 23.36.165.138
whitelisted
crl.microsoft.com
  • 23.65.124.25
  • 23.65.124.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
v20.events.data.microsoft.com
  • 204.79.197.203
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
  • 104.208.16.94
whitelisted

Threats

No threats detected
Process
Message
launcher.exe
qt.qpa.plugin: Could not find the Qt platform plugin "windows" in ""
launcher.exe
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
launcher.exe
qt.qpa.plugin: Could not find the Qt platform plugin "windows" in ""
launcher.exe
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
launcher.exe
qt.qpa.plugin: Could not find the Qt platform plugin "windows" in ""
launcher.exe
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
GenshinImpact_install_ua_8f720265818b.exe
need space: 390814403 archive size: 121397289 compressDatapos: 26523144
GenshinImpact_install_ua_8f720265818b.exe
read Config I18nNameMap=QMap(("de-de", "Genshin Impact")("en-us", "Genshin Impact")("es-es", "Genshin Impact")("fr-fr", "Genshin Impact")("id-id", "Genshin Impact")("it-it", "Genshin Impact")("ja-jp", "??")("ko-kr", "??")("pt-pt", "Genshin Impact")("ru-ru", "Genshin Impact")("th-th", "Genshin Impact")("tr-tr", "Genshin Impact")("vi-vn", "Genshin Impact")("zh-cn", "??")("zh-tw", "??")) ProductName="Genshin Impact" InstallerSingleId="miHoYo.com_installer_yuanshen" InstallAppendPath="Genshin Impact" LauncherExeName="launcher.exe" AppSingleId="miHoYo.com_launcher_yuanshen" Publisher="COGNOSPHERE PTE. LTD." WebSiteUrl="https://genshin.hoyoverse.com/" ProtocolUrl="https://genshin.hoyoverse.com/launcher/10/{lang}/agreement?api_url=https%3A%2F%2Fhk4e-launcher.hoyoverse.com%2Fhk4e_global" Version="2.33.5.0" EnvValue="prod-os" Preview=false RequestKey="gcStgarh" AppId="10" CPS="mihoyo" Channel="1" SubChannel="0" ClusterLabel="" BuildSha="6b936695LqlIfK3k"
GenshinImpact_install_ua_8f720265818b.exe
"GenshinImpact_install_ua_8f720265818b.exe" init success
GenshinImpact_install_ua_8f720265818b.exe
check version start
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
launcher.exe