URL:

stardock.com

Full analysis: https://app.any.run/tasks/566dca91-a2dd-4096-a1ae-df01ee9e4a7b
Verdict: Malicious activity
Analysis date: June 04, 2025, 13:01:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
lua
Indicators:
MD5:

83B8C0D883CF64F7FAD46169F9AD97BA

SHA1:

DE00705A1CC07A0FFBD4E7A99805E38485DC8082

SHA256:

771714D7C921C450375FB055C3078AF9BF45842F8FBBF80DF2C734467F7DC67D

SSDEEP:

3:L8GO2:AZ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • GetMachineSID.exe (PID: 5056)
      • DeElevate64.exe (PID: 8468)

    • Uses Task Scheduler to run other applications

      • irsetup.exe (PID: 5248)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Fences.exe (PID: 7556)
      • Fences.exe (PID: 7428)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Fences6-fs-setup.exe (PID: 4268)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • irsetup.exe (PID: 5248)

    • Executable content was dropped or overwritten

      • Fences6-fs-setup.exe (PID: 4268)
      • irsetup.exe (PID: 5248)
      • MicrosoftEdgeWebview2Setup.exe (PID: 2656)
      • mscorsvw.exe (PID: 8368)
      • mscorsvw.exe (PID: 7892)
      • mscorsvw.exe (PID: 976)
      • mscorsvw.exe (PID: 8660)
      • mscorsvw.exe (PID: 8252)
      • mscorsvw.exe (PID: 6228)
      • mscorsvw.exe (PID: 8952)
      • mscorsvw.exe (PID: 8616)
      • mscorsvw.exe (PID: 8896)
      • mscorsvw.exe (PID: 8816)
      • mscorsvw.exe (PID: 6808)
      • mscorsvw.exe (PID: 9008)
      • mscorsvw.exe (PID: 6712)
      • mscorsvw.exe (PID: 8560)
      • mscorsvw.exe (PID: 8772)
      • mscorsvw.exe (PID: 7656)
      • mscorsvw.exe (PID: 8948)
      • mscorsvw.exe (PID: 8892)
      • mscorsvw.exe (PID: 7704)
      • mscorsvw.exe (PID: 9108)
      • mscorsvw.exe (PID: 2776)
      • mscorsvw.exe (PID: 8780)
      • mscorsvw.exe (PID: 8656)
      • mscorsvw.exe (PID: 4628)
      • mscorsvw.exe (PID: 2088)
      • mscorsvw.exe (PID: 9012)
      • mscorsvw.exe (PID: 8280)
      • mscorsvw.exe (PID: 7712)
      • mscorsvw.exe (PID: 5980)
      • mscorsvw.exe (PID: 656)
      • mscorsvw.exe (PID: 8564)
      • mscorsvw.exe (PID: 8328)
      • mscorsvw.exe (PID: 1512)
      • mscorsvw.exe (PID: 5864)
      • mscorsvw.exe (PID: 6344)
      • mscorsvw.exe (PID: 8624)
      • mscorsvw.exe (PID: 8956)
      • mscorsvw.exe (PID: 8288)
      • mscorsvw.exe (PID: 9044)
      • mscorsvw.exe (PID: 6340)
      • mscorsvw.exe (PID: 8600)
      • mscorsvw.exe (PID: 7952)
      • mscorsvw.exe (PID: 8780)
      • mscorsvw.exe (PID: 3008)
      • mscorsvw.exe (PID: 6512)
      • mscorsvw.exe (PID: 8656)
      • mscorsvw.exe (PID: 8896)
      • mscorsvw.exe (PID: 8908)
      • mscorsvw.exe (PID: 8764)
      • mscorsvw.exe (PID: 7732)
      • mscorsvw.exe (PID: 9024)
      • mscorsvw.exe (PID: 9116)

    • Process drops legitimate windows executable

      • irsetup.exe (PID: 5248)
      • MicrosoftEdgeWebview2Setup.exe (PID: 2656)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • mscorsvw.exe (PID: 7892)
      • mscorsvw.exe (PID: 8368)
      • mscorsvw.exe (PID: 976)
      • mscorsvw.exe (PID: 8252)
      • mscorsvw.exe (PID: 8896)
      • mscorsvw.exe (PID: 8616)
      • mscorsvw.exe (PID: 6228)
      • mscorsvw.exe (PID: 8816)
      • mscorsvw.exe (PID: 6808)
      • mscorsvw.exe (PID: 9008)
      • mscorsvw.exe (PID: 8952)
      • mscorsvw.exe (PID: 7656)
      • mscorsvw.exe (PID: 8772)
      • mscorsvw.exe (PID: 8560)
      • mscorsvw.exe (PID: 8948)
      • mscorsvw.exe (PID: 2776)
      • mscorsvw.exe (PID: 8780)
      • mscorsvw.exe (PID: 8656)
      • mscorsvw.exe (PID: 4628)
      • mscorsvw.exe (PID: 8892)
      • mscorsvw.exe (PID: 2088)
      • mscorsvw.exe (PID: 9012)
      • mscorsvw.exe (PID: 8328)
      • mscorsvw.exe (PID: 8280)
      • mscorsvw.exe (PID: 7712)
      • mscorsvw.exe (PID: 8564)
      • mscorsvw.exe (PID: 5980)
      • mscorsvw.exe (PID: 8956)
      • mscorsvw.exe (PID: 8288)
      • mscorsvw.exe (PID: 5864)
      • mscorsvw.exe (PID: 6344)
      • mscorsvw.exe (PID: 8624)
      • mscorsvw.exe (PID: 1512)
      • mscorsvw.exe (PID: 8600)
      • mscorsvw.exe (PID: 7952)
      • mscorsvw.exe (PID: 8780)
      • mscorsvw.exe (PID: 3008)
      • mscorsvw.exe (PID: 9044)
      • mscorsvw.exe (PID: 6340)
      • mscorsvw.exe (PID: 8908)
      • mscorsvw.exe (PID: 8656)
      • mscorsvw.exe (PID: 7732)
      • mscorsvw.exe (PID: 9024)
      • mscorsvw.exe (PID: 6512)
      • mscorsvw.exe (PID: 8896)
      • mscorsvw.exe (PID: 9116)
      • mscorsvw.exe (PID: 8764)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 2656)
      • MicrosoftEdgeUpdate.exe (PID: 3896)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 3896)

    • The process exported the data from the registry

      • irsetup.exe (PID: 5248)

    • Reads Microsoft Outlook installation path

      • irsetup.exe (PID: 5248)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 5248)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 8172)
      • schtasks.exe (PID: 4276)
      • schtasks.exe (PID: 9184)
      • schtasks.exe (PID: 8280)
      • schtasks.exe (PID: 5364)

    • Starts CMD.EXE for commands execution

      • irsetup.exe (PID: 5248)

    • Executing commands from ".cmd" file

      • irsetup.exe (PID: 5248)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7776)

    • Application launched itself

      • Fences.exe (PID: 7428)
      • Fences.exe (PID: 7556)
      • rundll32.exe (PID: 232)
      • Fences.exe (PID: 4976)
      • rundll32.exe (PID: 7984)
      • Fences.exe (PID: 2516)
      • Fences.exe (PID: 8204)

    • Uses ICACLS.EXE to modify access control lists

      • Fences.exe (PID: 472)
      • Fences.exe (PID: 8388)

    • There is functionality for taking screenshot (YARA)

      • irsetup.exe (PID: 5248)

    • Reads Internet Explorer settings

      • irsetup.exe (PID: 5248)

    • The process creates files with name similar to system file names

      • irsetup.exe (PID: 5248)

    • The process executes via Task Scheduler

      • rundll32.exe (PID: 232)
      • rundll32.exe (PID: 7984)

    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 232)
      • rundll32.exe (PID: 7984)
      • Fences.exe (PID: 3800)
      • explorer.exe (PID: 5492)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 4892)
      • Fences6-fs-setup.exe (PID: 4268)
      • irsetup.exe (PID: 5248)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • GetMachineSID.exe (PID: 5056)

    • Reads Environment values

      • identity_helper.exe (PID: 4892)
      • MicrosoftEdgeUpdate.exe (PID: 3896)

    • Application launched itself

      • msedge.exe (PID: 7820)

    • Checks supported languages

      • identity_helper.exe (PID: 4892)
      • Fences6-fs-setup.exe (PID: 4268)
      • irsetup.exe (PID: 5248)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • MicrosoftEdgeWebview2Setup.exe (PID: 2656)
      • GetMachineSID.exe (PID: 5056)

    • The sample compiled with english language support

      • msedge.exe (PID: 6040)
      • msedge.exe (PID: 7820)
      • Fences6-fs-setup.exe (PID: 4268)
      • irsetup.exe (PID: 5248)
      • MicrosoftEdgeWebview2Setup.exe (PID: 2656)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • mscorsvw.exe (PID: 7892)
      • mscorsvw.exe (PID: 976)
      • mscorsvw.exe (PID: 8368)
      • mscorsvw.exe (PID: 8252)
      • mscorsvw.exe (PID: 6228)
      • mscorsvw.exe (PID: 8616)
      • mscorsvw.exe (PID: 8896)
      • mscorsvw.exe (PID: 8816)
      • mscorsvw.exe (PID: 6808)
      • mscorsvw.exe (PID: 9008)
      • mscorsvw.exe (PID: 7656)
      • mscorsvw.exe (PID: 8560)
      • mscorsvw.exe (PID: 8952)
      • mscorsvw.exe (PID: 8948)
      • mscorsvw.exe (PID: 8656)
      • mscorsvw.exe (PID: 4628)
      • mscorsvw.exe (PID: 2088)
      • mscorsvw.exe (PID: 7712)
      • mscorsvw.exe (PID: 8564)
      • mscorsvw.exe (PID: 8956)
      • mscorsvw.exe (PID: 8288)
      • mscorsvw.exe (PID: 5864)
      • mscorsvw.exe (PID: 6344)
      • mscorsvw.exe (PID: 8624)
      • mscorsvw.exe (PID: 1512)
      • mscorsvw.exe (PID: 6340)
      • mscorsvw.exe (PID: 8600)
      • mscorsvw.exe (PID: 8780)
      • mscorsvw.exe (PID: 3008)
      • mscorsvw.exe (PID: 9044)
      • mscorsvw.exe (PID: 7952)
      • mscorsvw.exe (PID: 8896)
      • mscorsvw.exe (PID: 8656)
      • mscorsvw.exe (PID: 8908)
      • mscorsvw.exe (PID: 7732)
      • mscorsvw.exe (PID: 9024)
      • mscorsvw.exe (PID: 6512)
      • mscorsvw.exe (PID: 8764)
      • mscorsvw.exe (PID: 9116)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6040)
      • msedge.exe (PID: 7820)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 7820)

    • Reads the software policy settings

      • slui.exe (PID: 2392)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • irsetup.exe (PID: 5248)
      • wermgr.exe (PID: 2284)

    • Create files in a temporary directory

      • Fences6-fs-setup.exe (PID: 4268)
      • irsetup.exe (PID: 5248)
      • reg.exe (PID: 960)
      • GetMachineSID.exe (PID: 5056)

    • Process checks computer location settings

      • Fences6-fs-setup.exe (PID: 4268)
      • MicrosoftEdgeUpdate.exe (PID: 3896)
      • irsetup.exe (PID: 5248)

    • Creates files in the program directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 2656)
      • irsetup.exe (PID: 5248)

    • Checks proxy server information

      • wermgr.exe (PID: 2284)
      • irsetup.exe (PID: 5248)
      • MicrosoftEdgeUpdate.exe (PID: 3896)

    • Creates files or folders in the user directory

      • wermgr.exe (PID: 2284)
      • irsetup.exe (PID: 5248)

    • Reads the machine GUID from the registry

      • irsetup.exe (PID: 5248)

    • UPX packer has been detected

      • irsetup.exe (PID: 5248)

    • Launching a file from Task Scheduler

      • irsetup.exe (PID: 5248)

    • The process uses Lua

      • irsetup.exe (PID: 5248)

    • NGen native .NET image generation

      • ngen.exe (PID: 4896)

    • Manual execution by a user

      • Fences.exe (PID: 4976)
      • Fences.exe (PID: 2516)
      • Fences.exe (PID: 864)
      • rundll32.exe (PID: 4728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
312
Monitored processes
176
Malicious processes
7
Suspicious processes
8

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs fences6-fs-setup.exe no specs fences6-fs-setup.exe msedge.exe no specs irsetup.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe wermgr.exe reg.exe no specs conhost.exe no specs getmachinesid.exe no specs conhost.exe no specs msedge.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs fences.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs fences.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs msedge.exe no specs fences.exe no specs regsvr32.exe no specs regsvr32.exe no specs fences.exe no specs regsvr32.exe no specs regsvr32.exe no specs ngen.exe no specs conhost.exe no specs rundll32.exe no specs rundll32.exe no specs fences.exe no specs mscorsvw.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs fences.exe fences.exe no specs fences.exe no specs fences.exe no specs sddisplay.exe no specs explorer.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe fences.exe no specs fences.exe no specs fences.exe no specs mscorsvw.exe mscorsvw.exe fences.exe no specs icacls.exe no specs conhost.exe no specs fences.exe no specs mscorsvw.exe mscorsvw.exe icacls.exe no specs conhost.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe fences.exe no specs fences.exe no specs schtasks.exe no specs conhost.exe no specs mscorsvw.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs mscorsvw.exe mscorsvw.exe deelevate64.exe no specs fences.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe msedge.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe fences.exe no specs fences.exe no specs sddisplay.exe no specs fences.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll",StartHotkeySupportAsUserC:\Windows\System32\rundll32.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
472"C:\Program Files (x86)\Stardock\Fences\Fences.exe" /fixpermissionsC:\Program Files (x86)\Stardock\Fences\Fences.exeFences.exe
User:
admin
Company:
Stardock Corporation
Integrity Level:
HIGH
Description:
Fences Settings
Exit code:
0
Version:
6.0.0.2
Modules
Images
c:\program files (x86)\stardock\fences\fences.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5452 --field-trial-handle=2348,i,376840634484839337,17623181210919247490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6700 --field-trial-handle=2348,i,376840634484839337,17623181210919247490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
616"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll",StartFencesC:\Windows\System32\rundll32.exeFences.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 0 -NGENProcess 3ec -Pipe 3a8 -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
ngen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5340 --field-trial-handle=2348,i,376840634484839337,17623181210919247490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
716"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3464 --field-trial-handle=2348,i,376840634484839337,17623181210919247490,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6344 --field-trial-handle=2348,i,376840634484839337,17623181210919247490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1fc -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
49 530
Read events
48 734
Write events
634
Delete events
162

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000007028C
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(7820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7820) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
561DAFE154952F00
(PID) Process:(7820) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
A973B7E154952F00
(PID) Process:(7820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459404
Operation:writeName:WindowTabManagerFileMappingId
Value:
{8CEFF8A1-B006-4FE5-BB0F-4F59C1EEACF1}
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000050370
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(7820) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459404
Operation:writeName:WindowTabManagerFileMappingId
Value:
{F7F52599-9B4D-4479-85D6-7E385F8C9B3A}
Executable files
398
Suspicious files
308
Text files
320
Unknown types
146

Dropped files

PID
Process
Filename
Type
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State~RF11f5a8.TMP
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF11f5c7.TMP
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF11f5c7.TMP
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11f5d6.TMP
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11f5d6.TMP
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11f5d6.TMP
MD5:
SHA256:
7820msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
186
DNS requests
176
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7600
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7600
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6040
msedge.exe
GET
172.64.149.23:80
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
unknown
whitelisted
4424
svchost.exe
HEAD
200
23.32.238.99:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3ab36512-8e78-4855-9d3c-00fc48298f23?P1=1749572862&P2=404&P3=2&P4=kTZvaJzYH0NifaqBviAOuLVkESdiPCXd2Z9shhkH6eOvJI7gFFpgWOS2NDyWWAARddgJAAbFaCfenXUszeKvug%3d%3d
unknown
whitelisted
6540
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4424
svchost.exe
GET
206
23.32.238.99:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3ab36512-8e78-4855-9d3c-00fc48298f23?P1=1749572862&P2=404&P3=2&P4=kTZvaJzYH0NifaqBviAOuLVkESdiPCXd2Z9shhkH6eOvJI7gFFpgWOS2NDyWWAARddgJAAbFaCfenXUszeKvug%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7600
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1088
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7600
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7600
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7820
msedge.exe
239.255.255.250:1900
whitelisted
6040
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 2.23.246.101
whitelisted
config.edge.skype.com
  • 13.107.42.16
  • 13.107.43.16
whitelisted
stardock.com
  • 66.79.209.93
unknown
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 40.90.65.130
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
www.stardock.com
  • 66.79.209.93
unknown
www.bing.com
  • 2.16.204.155
  • 2.16.204.148
  • 2.16.204.153
  • 2.16.204.134
  • 2.16.204.138
  • 2.16.204.161
  • 2.16.204.135
  • 2.16.204.146
  • 2.23.227.142
  • 2.23.227.138
  • 2.16.204.151
  • 2.16.204.139
  • 2.16.204.150
  • 2.16.204.149
  • 2.16.204.136
  • 2.16.204.144
whitelisted

Threats

PID
Process
Class
Message
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6040
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
stardock.com