URL:

https://mega.nz/file/jgQTyZ4B#FSxbdWI7AIuekdAHR1ySBzTo4EfKJHNuaHjGIMWhTHs

Full analysis: https://app.any.run/tasks/f16447bf-14c6-4562-a223-489f88b516ff
Verdict: Malicious activity
Analysis date: April 04, 2025, 22:11:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
winring0x64-sys
vuln-driver
Indicators:
MD5:

D7383BD06058656D7D981344B653B692

SHA1:

052FCBEF08779F101424DDD427424C081EA1F54B

SHA256:

7C591520023C7464AA4D005AA9F2E4EA2694D59CFAAE094DC2FDE1D47B23E0B7

SSDEEP:

3:N8X/irBDyIZek/MGDorzRW:2BIMk/1+w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 684)
      • cmd.exe (PID: 6256)
      • cmd.exe (PID: 2616)

    • Changes Windows Defender settings

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Adds extension to the Windows Defender exclusion list

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Application was injected by another process

      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1252)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2068)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 3104)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 2624)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 3184)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 2996)
      • dllhost.exe (PID: 5880)
      • svchost.exe (PID: 4508)
      • MoUsoCoreWorker.exe (PID: 5496)
      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 1684)
      • sihost.exe (PID: 4984)
      • svchost.exe (PID: 6024)
      • dllhost.exe (PID: 6896)
      • explorer.exe (PID: 5492)
      • uhssvc.exe (PID: 648)
      • dwm.exe (PID: 6568)
      • RuntimeBroker.exe (PID: 6160)
      • RuntimeBroker.exe (PID: 1036)
      • ApplicationFrameHost.exe (PID: 6952)
      • UserOOBEBroker.exe (PID: 1248)
      • ctfmon.exe (PID: 956)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 4916)
      • svchost.exe (PID: 6544)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 6608)
      • svchost.exe (PID: 4952)
      • svchost.exe (PID: 4544)
      • RuntimeBroker.exe (PID: 5368)
      • svchost.exe (PID: 4336)
      • WmiPrvSE.exe (PID: 5156)
      • WmiPrvSE.exe (PID: 3024)
      • svchost.exe (PID: 7152)
      • svchost.exe (PID: 4844)
      • svchost.exe (PID: 4348)
      • audiodg.exe (PID: 6168)
      • svchost.exe (PID: 2560)
      • svchost.exe (PID: 6180)
      • svchost.exe (PID: 4692)
      • consent.exe (PID: 8116)
      • consent.exe (PID: 472)
      • taskhostw.exe (PID: 2040)

    • Runs injected code in another process

      • dialer.exe (PID: 8060)
      • dialer.exe (PID: 6644)
      • dialer.exe (PID: 3028)
      • dialer.exe (PID: 6668)

    • Vulnerable driver has been detected

      • ofmvnvzjtyqd.exe (PID: 5112)
      • ofmvnvzjtyqd.exe (PID: 7324)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6576)
      • Extreme Injector v3.exe (PID: 4728)
      • Extreme Injector v3.exe (PID: 7304)
      • Extreme Injector v3.exe (PID: 4608)
      • GTA E Fsl Patch.exe (PID: 5988)

    • Executable content was dropped or overwritten

      • Extreme Injector v3.exe (PID: 4728)
      • Extreme Injector v32.exe (PID: 2092)
      • svchost.exe (PID: 2996)
      • explorer.exe (PID: 5492)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • GTA E Fsl Patch.exe (PID: 5988)
      • GTA E Fsl Patch.exe (PID: 6940)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Script adds exclusion extension to Windows Defender

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Script adds exclusion path to Windows Defender

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Starts POWERSHELL.EXE for commands execution

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Starts CMD.EXE for commands execution

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Stops a currently running service

      • sc.exe (PID: 6660)
      • sc.exe (PID: 6044)
      • sc.exe (PID: 1628)
      • sc.exe (PID: 4380)
      • sc.exe (PID: 7500)
      • sc.exe (PID: 6828)
      • sc.exe (PID: 6564)
      • sc.exe (PID: 7212)
      • sc.exe (PID: 7212)
      • sc.exe (PID: 5588)
      • sc.exe (PID: 4976)
      • sc.exe (PID: 6044)
      • sc.exe (PID: 1064)
      • sc.exe (PID: 5408)
      • sc.exe (PID: 4100)
      • sc.exe (PID: 4376)
      • sc.exe (PID: 1096)
      • sc.exe (PID: 7284)
      • sc.exe (PID: 5980)
      • sc.exe (PID: 7312)
      • sc.exe (PID: 4224)
      • sc.exe (PID: 5280)

    • Adds/modifies Windows certificates

      • lsass.exe (PID: 756)

    • Process uninstalls Windows update

      • wusa.exe (PID: 6136)
      • wusa.exe (PID: 2092)
      • wusa.exe (PID: 6300)
      • wusa.exe (PID: 5176)

    • Starts SC.EXE for service management

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Manipulates environment variables

      • powershell.exe (PID: 6972)
      • powershell.exe (PID: 4976)
      • powershell.exe (PID: 5044)
      • powershell.exe (PID: 8108)

    • Uses powercfg.exe to modify the power settings

      • Extreme Injector v32.exe (PID: 2092)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2568)
      • sc.exe (PID: 1096)
      • sc.exe (PID: 928)

    • Creates a new Windows service

      • sc.exe (PID: 2236)

    • Executes as Windows Service

      • ofmvnvzjtyqd.exe (PID: 5112)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Drops a system driver (possible attempt to evade defenses)

      • ofmvnvzjtyqd.exe (PID: 5112)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Connects to unusual port

      • dialer.exe (PID: 2268)

  • INFO

    • Reads the time zone

      • MoUsoCoreWorker.exe (PID: 5496)
      • WmiPrvSE.exe (PID: 5156)
      • svchost.exe (PID: 2396)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)
      • Extreme Injector v32.exe (PID: 2092)

    • Creates files or folders in the user directory

      • lsass.exe (PID: 756)
      • Extreme Injector v3.exe (PID: 4728)
      • explorer.exe (PID: 5492)

    • Reads the computer name

      • identity_helper.exe (PID: 3020)
      • Extreme Injector v3.exe (PID: 4728)
      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 7304)
      • Extreme Injector v3.exe (PID: 4608)
      • GTA E Fsl Patch.exe (PID: 5988)
      • GTA E Fsl Patch.exe (PID: 6940)

    • Checks supported languages

      • identity_helper.exe (PID: 3020)
      • Extreme Injector v32.exe (PID: 2092)
      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 4728)
      • uhssvc.exe (PID: 648)
      • ofmvnvzjtyqd.exe (PID: 5112)
      • Extreme Injector v3.exe (PID: 7304)
      • Extreme Injector v3.exe (PID: 4608)
      • Extreme Injector v32.exe (PID: 5188)
      • ofmvnvzjtyqd.exe (PID: 7324)
      • GTA E Fsl Patch.exe (PID: 5988)
      • GTA E Fsl Patch.exe (PID: 6940)
      • Extreme Injector v32.exe (PID: 8152)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 2536)
      • explorer.exe (PID: 5492)

    • Reads Environment values

      • identity_helper.exe (PID: 3020)
      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 7304)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 7396)
      • OfficeClickToRun.exe (PID: 3112)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6576)

    • Autorun file from Downloads

      • msedge.exe (PID: 6148)

    • Reads the software policy settings

      • lsass.exe (PID: 756)
      • Extreme Injector v3.exe (PID: 8152)
      • slui.exe (PID: 6456)
      • Extreme Injector v3.exe (PID: 7304)
      • consent.exe (PID: 8116)
      • consent.exe (PID: 472)
      • slui.exe (PID: 6392)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6576)
      • svchost.exe (PID: 2996)
      • explorer.exe (PID: 5492)

    • Create files in a temporary directory

      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 4728)
      • svchost.exe (PID: 4692)
      • Extreme Injector v3.exe (PID: 4608)
      • GTA E Fsl Patch.exe (PID: 5988)

    • Checks proxy server information

      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 7304)
      • slui.exe (PID: 6392)

    • Application launched itself

      • msedge.exe (PID: 7396)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6972)
      • powershell.exe (PID: 4976)
      • powershell.exe (PID: 5044)
      • powershell.exe (PID: 8108)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6972)
      • powershell.exe (PID: 4976)
      • powershell.exe (PID: 5044)
      • powershell.exe (PID: 8108)

    • Disables trace logs

      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 7304)

    • Reads the machine GUID from the registry

      • Extreme Injector v3.exe (PID: 8152)
      • Extreme Injector v3.exe (PID: 7304)

    • Process checks computer location settings

      • Extreme Injector v3.exe (PID: 4728)
      • Extreme Injector v3.exe (PID: 4608)
      • GTA E Fsl Patch.exe (PID: 5988)

    • The sample compiled with japanese language support

      • ofmvnvzjtyqd.exe (PID: 5112)
      • ofmvnvzjtyqd.exe (PID: 7324)

    • Manual execution by a user

      • Extreme Injector v3.exe (PID: 776)
      • Extreme Injector v3.exe (PID: 4608)
      • GTA E Fsl Patch.exe (PID: 1628)
      • GTA E Fsl Patch.exe (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
318
Monitored processes
272
Malicious processes
104
Suspicious processes
5

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe wmiprvse.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs extreme injector v3.exe no specs extreme injector v3.exe extreme injector v32.exe extreme injector v3.exe svchost.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs wmiprvse.exe cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT ofmvnvzjtyqd.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs svchost.exe slui.exe cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs extreme injector v3.exe no specs consent.exe extreme injector v3.exe extreme injector v32.exe extreme injector v3.exe msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs gta e fsl patch.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs consent.exe conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs dialer.exe no specs conhost.exe no specs wusa.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT ofmvnvzjtyqd.exe powershell.exe no specs conhost.exe no specs gta e fsl patch.exe extreme injector v32.exe no specs gta e fsl patch.exe cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs taskhostw.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe runtimebroker.exe explorer.exe mousocoreworker.exe dllhost.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-dc 0C:\Windows\System32\powercfg.exeExtreme Injector v32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
472consent.exe 4916 444 0000021B57621D70C:\Windows\System32\consent.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Consent UI for administrative applications
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\consent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
472"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7956 --field-trial-handle=2416,i,16615261550615635135,13559014759043353983,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\cmd.exeofmvnvzjtyqd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
736C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-dc 0C:\Windows\System32\powercfg.exeofmvnvzjtyqd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
Total events
86 539
Read events
85 478
Write events
766
Delete events
295

Modification events

(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator
Operation:delete valueName:EnhancedShutdownEnabled
Value:
(PID) Process:(5496) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator
Operation:writeName:ShutdownFlyoutOptions
Value:
0
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000003024E
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000030264
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(7396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2112) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:writeName:Preshutdown
Value:
0
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator
Operation:writeName:SD
Value:
0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
Executable files
39
Suspicious files
419
Text files
93
Unknown types
0

Dropped files

PID
Process
Filename
Type
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b49c.TMP
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b46d.TMP
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b4cb.TMP
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b49c.TMP
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b4cb.TMP
MD5:
SHA256:
7396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
169
DNS requests
86
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1568
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1568
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7680
msedge.exe
GET
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744039857&P2=404&P3=2&P4=bURG4WfTsc6k7SlFtLDIenAP08cdWdluUiIUpazygFOwF7FkFYom64qU1Xy2QurPSg2f2f24v7cwLmYuU4Qc9A%3d%3d
unknown
whitelisted
4692
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744039857&P2=404&P3=2&P4=bURG4WfTsc6k7SlFtLDIenAP08cdWdluUiIUpazygFOwF7FkFYom64qU1Xy2QurPSg2f2f24v7cwLmYuU4Qc9A%3d%3d
unknown
whitelisted
5544
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744039857&P2=404&P3=2&P4=bURG4WfTsc6k7SlFtLDIenAP08cdWdluUiIUpazygFOwF7FkFYom64qU1Xy2QurPSg2f2f24v7cwLmYuU4Qc9A%3d%3d
unknown
whitelisted
5544
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744039857&P2=404&P3=2&P4=bURG4WfTsc6k7SlFtLDIenAP08cdWdluUiIUpazygFOwF7FkFYom64qU1Xy2QurPSg2f2f24v7cwLmYuU4Qc9A%3d%3d
unknown
whitelisted
7680
msedge.exe
GET
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744096095&P2=404&P3=2&P4=nZHTLroDspk2vryi5DJQHut%2fm7v9UpltYJYMM%2fbd83ZpdmRddH6yRVEybPG%2fyiNVhywDaYa3QVJy8MXmxKpmBw%3d%3d
unknown
whitelisted
7680
msedge.exe
GET
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a9053068-ae74-4741-b690-18ffac156a36?P1=1744039859&P2=404&P3=2&P4=Kw2HDWr8wgC1H4jpf2ociijG5bBt4IYefT8rAbH3N1bq%2f0TK3QT5h%2f47qyM51eYCVzZrfgxu6WxGUkMMdr0hzQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7396
msedge.exe
239.255.255.250:1900
whitelisted
7680
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7680
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7680
msedge.exe
31.216.144.5:443
mega.nz
Datacenter Luxembourg S.A.
LU
whitelisted
7680
msedge.exe
13.107.253.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.143
whitelisted
google.com
  • 172.217.16.206
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
mega.nz
  • 31.216.144.5
  • 31.216.145.5
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 23.50.131.74
  • 23.50.131.78
whitelisted
www.bing.com
  • 2.16.204.134
  • 2.16.204.135
whitelisted

Threats

PID
Process
Class
Message
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
7680
msedge.exe
Misc activity
ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega.nz/file/jgQTyZ4B#FSxbdWI7AIuekdAHR1ySBzTo4EfKJHNuaHjGIMWhTHs