URL:

https://mega.nz/file/hipGFAaI#NWPqXwP_df-queOVYVKc8JbBBGZoCCWZHkY5aw1iHLc

Full analysis: https://app.any.run/tasks/1c3e04f4-3a80-4daf-9bde-66eb13089411
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 13:53:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
stealer
discordgrabber
generic
Indicators:
MD5:

F4374C644F95C34EE13D68DE0306A363

SHA1:

0EB85EE8FAAE343FC48D376C68EB8EDD72E178B8

SHA256:

6FEDB9DA25887E361B24E4C0D2D1CA6910CE022C6B80D96D68B3745017C4FC84

SSDEEP:

3:N8X/ixkvIUAzUVilXTR7:2mkQFz0iljR7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 2472)
      • DiscordSetup.exe (PID: 8156)
      • Discord.exe (PID: 1992)
      • Discord.exe (PID: 1292)
      • Discord.exe (PID: 3360)
      • Update.exe (PID: 7556)
      • Discord.exe (PID: 7416)
      • Discord.exe (PID: 4092)
      • Update.exe (PID: 5592)
      • Discord.exe (PID: 6608)
      • Discord.exe (PID: 7944)
      • reg.exe (PID: 7232)
      • Discord.exe (PID: 6728)
      • conhost.exe (PID: 7228)
      • Discord.exe (PID: 7260)
      • conhost.exe (PID: 3980)
      • Discord.exe (PID: 7400)
      • conhost.exe (PID: 7176)
      • reg.exe (PID: 6396)
      • conhost.exe (PID: 1128)
      • reg.exe (PID: 4868)
      • reg.exe (PID: 892)
      • cmd.exe (PID: 6268)
      • conhost.exe (PID: 7380)
      • Discord.exe (PID: 3196)
      • Discord.exe (PID: 7384)
      • chcp.com (PID: 996)
      • Discord.exe (PID: 7236)
      • Discord.exe (PID: 6124)
      • gpu_encoder_helper.exe (PID: 5632)
      • Discord.exe (PID: 7824)
      • gpu_encoder_helper.exe (PID: 3408)
      • conhost.exe (PID: 5876)
      • gpu_encoder_helper.exe (PID: 5904)
      • Discord.exe (PID: 6304)
      • conhost.exe (PID: 8020)
      • conhost.exe (PID: 7668)
      • cmd.exe (PID: 6608)
      • conhost.exe (PID: 7548)
      • Discord.exe (PID: 3976)

    • Drops the executable file immediately after the start

      • Update.exe (PID: 5592)
      • DiscordSetup.exe (PID: 8156)
      • Discord.exe (PID: 7400)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 3196)
      • Rebranded.exe (PID: 1620)

    • Changes the autorun value in the registry

      • reg.exe (PID: 4500)

    • DISCORDGRABBER has been detected (YARA)

      • Discord.exe (PID: 7824)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Update.exe (PID: 5592)
      • DiscordSetup.exe (PID: 8156)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 7400)
      • Rebranded.exe (PID: 1620)
      • Discord.exe (PID: 3196)

    • Process drops legitimate windows executable

      • Update.exe (PID: 5592)
      • Rebranded.exe (PID: 1620)

    • Application launched itself

      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 6304)

    • Uses REG/REGEDIT.EXE to modify registry

      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 6304)

    • Reads security settings of Internet Explorer

      • Update.exe (PID: 5592)
      • ShellExperienceHost.exe (PID: 5608)

    • Reads the date of Windows installation

      • Update.exe (PID: 5592)

    • Searches for installed software

      • Update.exe (PID: 5592)

    • Creates a software uninstall entry

      • Update.exe (PID: 5592)

    • Starts CMD.EXE for commands execution

      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 7824)

    • Process drops python dynamic module

      • Rebranded.exe (PID: 1620)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6268)

    • The process drops C-runtime libraries

      • Rebranded.exe (PID: 1620)

  • INFO

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 4820)
      • msedge.exe (PID: 3660)

    • Reads the computer name

      • identity_helper.exe (PID: 6572)
      • Update.exe (PID: 5592)
      • Discord.exe (PID: 3360)
      • Update.exe (PID: 7556)
      • identity_helper.exe (PID: 7468)
      • Discord.exe (PID: 1292)
      • Discord.exe (PID: 7416)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 6728)
      • Discord.exe (PID: 7944)
      • Discord.exe (PID: 6608)
      • Rebranded.exe (PID: 1620)
      • Discord.exe (PID: 7236)
      • Discord.exe (PID: 6124)
      • Discord.exe (PID: 7824)
      • gpu_encoder_helper.exe (PID: 5904)
      • gpu_encoder_helper.exe (PID: 5632)
      • gpu_encoder_helper.exe (PID: 3408)
      • ShellExperienceHost.exe (PID: 5608)

    • Checks supported languages

      • identity_helper.exe (PID: 6572)
      • DiscordSetup.exe (PID: 8156)
      • identity_helper.exe (PID: 7468)
      • Update.exe (PID: 5592)
      • Discord.exe (PID: 1992)
      • Update.exe (PID: 7556)
      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 1292)
      • Discord.exe (PID: 7416)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 4092)
      • Discord.exe (PID: 6728)
      • Discord.exe (PID: 6608)
      • Discord.exe (PID: 7944)
      • Discord.exe (PID: 7260)
      • Discord.exe (PID: 7400)
      • Rebranded.exe (PID: 1620)
      • Discord.exe (PID: 3196)
      • Discord.exe (PID: 7384)
      • Discord.exe (PID: 7824)
      • chcp.com (PID: 996)
      • Discord.exe (PID: 7236)
      • Discord.exe (PID: 6124)
      • gpu_encoder_helper.exe (PID: 3408)
      • ShellExperienceHost.exe (PID: 5608)
      • gpu_encoder_helper.exe (PID: 5632)
      • Discord.exe (PID: 3976)
      • gpu_encoder_helper.exe (PID: 5904)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4820)
      • WinRAR.exe (PID: 2472)

    • Reads Environment values

      • identity_helper.exe (PID: 6572)
      • identity_helper.exe (PID: 7468)
      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 7944)
      • Discord.exe (PID: 7824)

    • Manual execution by a user

      • WinRAR.exe (PID: 2472)
      • Rebranded.exe (PID: 1620)

    • Attempting to use instant messaging service

      • msedge.exe (PID: 7272)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 6728)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2472)
      • msedge.exe (PID: 4820)
      • msedge.exe (PID: 3660)

    • The process uses the downloaded file

      • msedge.exe (PID: 7440)
      • WinRAR.exe (PID: 2472)
      • msedge.exe (PID: 4820)
      • msedge.exe (PID: 3616)

    • Checks proxy server information

      • slui.exe (PID: 3940)
      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 6304)

    • Reads the software policy settings

      • slui.exe (PID: 3940)
      • Discord.exe (PID: 6304)

    • Create files in a temporary directory

      • DiscordSetup.exe (PID: 8156)
      • Update.exe (PID: 5592)
      • Discord.exe (PID: 6304)
      • Rebranded.exe (PID: 1620)

    • Creates files or folders in the user directory

      • DiscordSetup.exe (PID: 8156)
      • Update.exe (PID: 5592)
      • Discord.exe (PID: 3360)
      • Update.exe (PID: 7556)
      • Discord.exe (PID: 1992)
      • Discord.exe (PID: 7416)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 4092)
      • Discord.exe (PID: 6608)
      • Discord.exe (PID: 6728)
      • Discord.exe (PID: 7824)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 5592)
      • Update.exe (PID: 7556)
      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 6608)
      • Discord.exe (PID: 7944)

    • Application launched itself

      • msedge.exe (PID: 4820)
      • msedge.exe (PID: 3660)

    • Reads product name

      • Discord.exe (PID: 3360)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 7824)

    • Process checks computer location settings

      • Discord.exe (PID: 3360)
      • Update.exe (PID: 5592)
      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 7260)
      • Discord.exe (PID: 7384)
      • Discord.exe (PID: 7824)
      • Discord.exe (PID: 3976)

    • Reads CPU info

      • Discord.exe (PID: 6304)
      • Discord.exe (PID: 7824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
287
Monitored processes
135
Malicious processes
32
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs discordsetup.exe update.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs discord.exe discord.exe update.exe discord.exe discord.exe reg.exe conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs discord.exe discord.exe discord.exe discord.exe discord.exe reg.exe conhost.exe discord.exe reg.exe conhost.exe reg.exe conhost.exe reg.exe conhost.exe discord.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs discord.exe msedge.exe no specs rebranded.exe cmd.exe conhost.exe chcp.com discord.exe #DISCORDGRABBER discord.exe discord.exe discord.exe gpu_encoder_helper.exe shellexperiencehost.exe no specs gpu_encoder_helper.exe gpu_encoder_helper.exe conhost.exe conhost.exe conhost.exe cmd.exe conhost.exe msedge.exe no specs discord.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6312 --field-trial-handle=2408,i,17172532148529512052,16161964863354526803,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
256"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2772 --field-trial-handle=2416,i,13658496605097893150,18220024022310069661,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
528"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6632 --field-trial-handle=2408,i,17172532148529512052,16161964863354526803,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
704"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6592 --field-trial-handle=2408,i,17172532148529512052,16161964863354526803,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
892C:\WINDOWS\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\admin\AppData\Local\Discord\app-1.0.9155\Discord.exe\" --url -- \"%1\"" /fC:\Windows\System32\reg.exe
Discord.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
996chcpC:\Windows\System32\chcp.com
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe
reg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1292"C:\Users\admin\AppData\Local\Discord\app-1.0.9155\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,14944378726829430916,1724575236556310413,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1892 /prefetch:2C:\Users\admin\AppData\Local\Discord\app-1.0.9155\Discord.exe
Discord.exe
User:
admin
Company:
Discord Inc.
Integrity Level:
LOW
Description:
Discord
Exit code:
0
Version:
1.0.9155
Modules
Images
c:\users\admin\appdata\local\discord\app-1.0.9155\discord.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1428"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6280 --field-trial-handle=2408,i,17172532148529512052,16161964863354526803,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1620"C:\Users\admin\Desktop\Rebranded.exe" C:\Users\admin\Desktop\Rebranded.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
51 625
Read events
51 339
Write events
248
Delete events
38

Modification events

(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
(PID) Process:(4820) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:usagestats
Value:
0
(PID) Process:(4820) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:urlstats
Value:
0
Executable files
182
Suspicious files
821
Text files
1 592
Unknown types
64

Dropped files

PID
Process
Filename
Type
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1c119b.TMP
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1c119b.TMP
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1c118c.TMP
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1c11f9.TMP
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1c11f9.TMP
MD5:
SHA256:
4820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
232
DNS requests
261
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7884
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7272
msedge.exe
GET
304
2.23.197.184:80
http://x1.i.lencr.org/
unknown
whitelisted
7272
msedge.exe
GET
304
2.23.197.184:80
http://r3.i.lencr.org/
unknown
whitelisted
2216
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8ee9a644-4296-4fb1-b90f-7c4d7ea948c5?P1=1722552992&P2=404&P3=2&P4=GbsCeKnVLegcaFUsxMVzgZCU4m7HwQKjRwMpADP3FaIMMJ%2bJgVvPxX1NXU1DgtgqXecFmJwji1EpnuHnpk3E4w%3d%3d
unknown
whitelisted
7272
msedge.exe
GET
304
95.101.54.195:80
http://apps.identrust.com/roots/dstrootcax3.p7c
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2856
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3688
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6220
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5368
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5368
SearchApp.exe
104.126.37.146:443
Akamai International B.V.
DE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
6164
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4820
msedge.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
google.com
  • 142.250.186.78
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
mega.nz
  • 31.216.145.5
  • 31.216.144.5
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.177
  • 104.126.37.154
  • 104.126.37.186
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.171
  • 104.126.37.163
  • 104.126.37.130
  • 2.23.209.185
  • 2.23.209.193
  • 2.23.209.150
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.189
  • 2.23.209.135
  • 2.23.209.154
  • 2.23.209.158
  • 2.23.209.177
  • 2.23.209.148
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.187
  • 2.23.209.183
  • 2.23.209.181
  • 2.23.209.160
whitelisted
bzib.nelreports.net
  • 23.53.40.203
  • 23.53.41.89
whitelisted

Threats

PID
Process
Class
Message
7272
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
7272
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
7272
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
7272
msedge.exe
Misc activity
ET INFO Observed DNS Query to Filesharing Service (mega .co .nz)
7272
msedge.exe
Misc activity
ET INFO Observed DNS Query to Filesharing Service (mega .co .nz)
7272
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
7272
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
7272
msedge.exe
Misc activity
ET INFO Observed DNS Query to Filesharing Service (mega .co .nz)
7272
msedge.exe
Misc activity
ET INFO Observed DNS Query to Filesharing Service (mega .co .nz)
7272
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
Process
Message
DiscordSetup.exe
Start up installer:
DiscordSetup.exe
Elevated process: ?
DiscordSetup.exe
Want standard install
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega.nz/file/hipGFAaI#NWPqXwP_df-queOVYVKc8JbBBGZoCCWZHkY5aw1iHLc