File name:

778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a

Full analysis: https://app.any.run/tasks/66777a45-111d-4340-9d6d-50addd31b5af
Verdict: Malicious activity
Analysis date: May 19, 2025, 16:53:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

7FA999A7D200C1B26F26BBA80AFD36E8

SHA1:

4C1757DC940F89DD4980C052CAF16467CC3E3904

SHA256:

778434ADEE3E053CF304569FFF5130ACF06AE05C89E26016920D96468B26FB4A

SSDEEP:

24576:4njXB2qE0UURlvaF59K7pUuGJeWuH1NDL18aK2RQIBgA6i:4njXh9lvYHK7pUuGJeWuH1Nn18aK2RQ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • mesedge.exe (PID: 7720)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)

    • Executable content was dropped or overwritten

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)

    • The process creates files with name similar to system file names

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)

    • Reads security settings of Internet Explorer

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)

    • Contacting a server suspected of hosting an CnC

      • mesedge.exe (PID: 7720)

  • INFO

    • Checks supported languages

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)
      • mesedge.exe (PID: 7720)

    • Reads the computer name

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)
      • mesedge.exe (PID: 7720)

    • The sample compiled with english language support

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)

    • Reads product name

      • mesedge.exe (PID: 7720)

    • Process checks computer location settings

      • 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe (PID: 7680)

    • Reads Environment values

      • mesedge.exe (PID: 7720)

    • Checks proxy server information

      • slui.exe (PID: 8164)

    • Reads the software policy settings

      • slui.exe (PID: 8164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2021:04:07 14:39:31+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 165888
InitializedDataSize: 131584
UninitializedDataSize: -
EntryPoint: 0x16b40
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe mesedge.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7680"C:\Users\admin\Desktop\778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe" C:\Users\admin\Desktop\778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_91a79472cc852ba0\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7720"C:\Users\admin\Desktop\mesedge.exe" C:\Users\admin\Desktop\mesedge.exe
778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Topology Editor
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\mesedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 922
Read events
3 922
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7680778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exeC:\Users\admin\Desktop\mesedge.exeexecutable
MD5:CB9954E893674AAFA74BECCBA996F754
SHA256:7AC3CAC9C07328AC49D0956E4C3B4ACF2A3D31568CBF99ACCE172E0637AE11A4
7680778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exeC:\Users\admin\Desktop\tedutil.dllexecutable
MD5:A0CBA95B123A5522A28723A4AF94CCF1
SHA256:E21F23970117C5C82DB3AE89F2B8FFF8C62B206818D1C9FE8F350D38066065EF
7680778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a.exeC:\Users\admin\Desktop\services.dllexecutable
MD5:941303E9352462E552DE6E2B7D3BD0A8
SHA256:B1185CFDD1719116E9AE2BC919C8849C4FC73DAD3DB1EE44B0B9C6D6849E6098
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
40
DNS requests
17
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7956
SIHClient.exe
GET
200
2.16.164.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
2.16.164.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
2.16.164.11:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7956
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7720
mesedge.exe
104.233.223.194:80
yh1.ksdcks2.org
PEGTECHINC
US
malicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7956
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7956
SIHClient.exe
2.16.164.11:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7956
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7956
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
yh1.ksdcks2.org
  • 104.233.223.194
unknown
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 2.16.164.11
  • 2.16.164.25
  • 2.16.164.106
  • 2.16.164.107
  • 2.16.164.34
  • 2.16.164.81
  • 2.16.164.33
  • 2.16.164.43
  • 2.16.164.35
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

PID
Process
Class
Message
7720
mesedge.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
7720
mesedge.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
7720
mesedge.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
7720
mesedge.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
7720
mesedge.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
7720
mesedge.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
778434adee3e053cf304569fff5130acf06ae05c89e26016920d96468b26fb4a