URL:

https://d2jb0me8mxi5vc.cloudfront.net/82UOH6p/bMLg/simple-sticky-notes.exe

Full analysis: https://app.any.run/tasks/42989644-3a5a-486d-b11c-5e0d0e8895f0
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 14, 2024, 19:39:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
innosetup
loader
stealer
netreactor
Indicators:
MD5:

EC47FF8DB30594E926A03BCDBEE0E310

SHA1:

1235171DFFD1110343A0318A45EBFFEB894EA06F

SHA256:

827E0A7B8A4DA6AEC6E2C5092823D1C3B4FC8F1524FC69C12C71576856E65EF7

SSDEEP:

3:N8PPHV4MLGJ0l/0acOEOFE+d4A:23HVPaRa6OO+dN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • INNOSETUP has been detected (SURICATA)

      • file_Nu5nh-1.tmp (PID: 7196)

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 7852)
      • rsEngineSvc.exe (PID: 3648)

    • Changes the autorun value in the registry

      • ssn.exe (PID: 3296)
      • rundll32.exe (PID: 7272)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8012)
      • file_Nu5nh-1.tmp (PID: 7196)
      • prod0.exe (PID: 7724)
      • simple-sticky-notes.tmp (PID: 1812)
      • ssn.exe (PID: 3296)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 7080)
      • rsEDRSvc.exe (PID: 940)
      • rsEngineSvc.exe (PID: 3648)

    • Executable content was dropped or overwritten

      • simple-sticky-notes_Nu5nh-1.exe (PID: 7992)
      • simple-sticky-notes_Nu5nh-1.exe (PID: 8124)
      • file_Nu5nh-1.tmp (PID: 7196)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • file_Nu5nh-1.exe (PID: 2468)
      • prod0.exe (PID: 7724)
      • atpcib5s.exe (PID: 6928)
      • UnifiedStub-installer.exe (PID: 7852)
      • simple-sticky-notes.exe (PID: 2524)
      • simple-sticky-notes.tmp (PID: 1812)

    • Reads the Windows owner or organization settings

      • file_Nu5nh-1.tmp (PID: 7196)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • simple-sticky-notes.tmp (PID: 1812)

    • Access to an unwanted program domain was detected

      • file_Nu5nh-1.tmp (PID: 7196)

    • Potential Corporate Privacy Violation

      • file_Nu5nh-1.tmp (PID: 7196)

    • Reads the date of Windows installation

      • prod0.exe (PID: 7724)
      • rsEDRSvc.exe (PID: 740)
      • rsEngineSvc.exe (PID: 3648)

    • Process requests binary or script from the Internet

      • file_Nu5nh-1.tmp (PID: 7196)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 7852)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 7852)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 7924)
      • rsWSC.exe (PID: 3548)
      • rsClientSvc.exe (PID: 1692)
      • rsEngineSvc.exe (PID: 3648)
      • rsEDRSvc.exe (PID: 740)
      • WmiApSrv.exe (PID: 8216)

    • Executes application which crashes

      • file_Nu5nh-1.tmp (PID: 7196)

    • The process creates files with name similar to system file names

      • UnifiedStub-installer.exe (PID: 7852)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 7852)

    • Checks Windows Trust Settings

      • UnifiedStub-installer.exe (PID: 7852)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 7080)
      • rsWSC.exe (PID: 3548)
      • rsEngineSvc.exe (PID: 3648)
      • rsEDRSvc.exe (PID: 940)
      • rsEDRSvc.exe (PID: 740)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 7852)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 3648)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 7852)
      • rundll32.exe (PID: 7272)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 7852)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 7852)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 7852)

    • Reads the BIOS version

      • rsEDRSvc.exe (PID: 740)
      • rsEngineSvc.exe (PID: 3648)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 740)

    • Application launched itself

      • rsAppUI.exe (PID: 5304)

    • The process checks if it is being run in the virtual environment

      • rsEngineSvc.exe (PID: 3648)

    • There is functionality for taking screenshot (YARA)

      • rsHelper.exe (PID: 7644)

  • INFO

    • The process uses the downloaded file

      • msedge.exe (PID: 7776)
      • msedge.exe (PID: 1656)
      • file_Nu5nh-1.tmp (PID: 7196)
      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • runonce.exe (PID: 7720)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 7080)
      • rsEDRSvc.exe (PID: 940)
      • rsEngineSvc.exe (PID: 3648)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 1656)
      • msedge.exe (PID: 1964)
      • msedge.exe (PID: 6576)

    • Checks supported languages

      • simple-sticky-notes_Nu5nh-1.exe (PID: 7992)
      • simple-sticky-notes_Nu5nh-1.exe (PID: 8124)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8012)
      • identity_helper.exe (PID: 3964)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • file_Nu5nh-1.tmp (PID: 7196)
      • file_Nu5nh-1.exe (PID: 2468)
      • prod0.exe (PID: 7724)
      • atpcib5s.exe (PID: 6928)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsSyncSvc.exe (PID: 7404)
      • rsSyncSvc.exe (PID: 7924)
      • simple-sticky-notes.exe (PID: 2524)
      • simple-sticky-notes.tmp (PID: 1812)
      • ssn.exe (PID: 3296)
      • ssn.exe (PID: 7648)
      • rsWSC.exe (PID: 5816)
      • rsWSC.exe (PID: 3548)
      • rsClientSvc.exe (PID: 1812)
      • rsClientSvc.exe (PID: 1692)
      • rsEngineSvc.exe (PID: 7080)
      • rsEngineSvc.exe (PID: 3648)
      • rsHelper.exe (PID: 7644)
      • rsEDRSvc.exe (PID: 940)
      • rsEDRSvc.exe (PID: 740)
      • EPP.exe (PID: 4024)
      • ssn.exe (PID: 7200)
      • rsAppUI.exe (PID: 5304)
      • rsAppUI.exe (PID: 7764)
      • rsAppUI.exe (PID: 7992)
      • rsAppUI.exe (PID: 1232)
      • rsAppUI.exe (PID: 8400)
      • rsLitmus.A.exe (PID: 8356)
      • ssn.exe (PID: 8860)
      • ssn.exe (PID: 8896)

    • Process checks computer location settings

      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8012)
      • file_Nu5nh-1.tmp (PID: 7196)
      • prod0.exe (PID: 7724)
      • ssn.exe (PID: 3296)
      • rsAppUI.exe (PID: 5304)
      • rsAppUI.exe (PID: 1232)
      • rsAppUI.exe (PID: 8400)

    • Reads the computer name

      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8012)
      • identity_helper.exe (PID: 3964)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • file_Nu5nh-1.tmp (PID: 7196)
      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsSyncSvc.exe (PID: 7404)
      • rsSyncSvc.exe (PID: 7924)
      • simple-sticky-notes.tmp (PID: 1812)
      • ssn.exe (PID: 3296)
      • ssn.exe (PID: 7648)
      • rsWSC.exe (PID: 5816)
      • rsWSC.exe (PID: 3548)
      • rsClientSvc.exe (PID: 1812)
      • rsClientSvc.exe (PID: 1692)
      • rsEngineSvc.exe (PID: 7080)
      • rsEngineSvc.exe (PID: 3648)
      • rsHelper.exe (PID: 7644)
      • rsEDRSvc.exe (PID: 940)
      • rsEDRSvc.exe (PID: 740)
      • ssn.exe (PID: 7200)
      • rsAppUI.exe (PID: 5304)
      • rsAppUI.exe (PID: 7764)
      • rsAppUI.exe (PID: 7992)
      • ssn.exe (PID: 8860)
      • ssn.exe (PID: 8896)

    • Reads Environment values

      • identity_helper.exe (PID: 3964)
      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsEngineSvc.exe (PID: 3648)
      • rsEDRSvc.exe (PID: 740)
      • rsAppUI.exe (PID: 5304)

    • Create files in a temporary directory

      • simple-sticky-notes_Nu5nh-1.exe (PID: 7992)
      • simple-sticky-notes_Nu5nh-1.exe (PID: 8124)
      • file_Nu5nh-1.tmp (PID: 7196)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • file_Nu5nh-1.exe (PID: 2468)
      • atpcib5s.exe (PID: 6928)
      • prod0.exe (PID: 7724)
      • simple-sticky-notes.exe (PID: 2524)
      • simple-sticky-notes.tmp (PID: 1812)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsAppUI.exe (PID: 5304)

    • Application launched itself

      • msedge.exe (PID: 1656)

    • Reads the software policy settings

      • file_Nu5nh-1.tmp (PID: 7196)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • WerFault.exe (PID: 8144)
      • WerFault.exe (PID: 7260)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 7080)
      • rsEngineSvc.exe (PID: 3648)
      • rsWSC.exe (PID: 3548)
      • rsEDRSvc.exe (PID: 940)
      • rsEDRSvc.exe (PID: 740)

    • Reads the machine GUID from the registry

      • file_Nu5nh-1.tmp (PID: 7196)
      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • ssn.exe (PID: 3296)
      • rsWSC.exe (PID: 5816)
      • rsWSC.exe (PID: 3548)
      • rsEngineSvc.exe (PID: 7080)
      • rsEngineSvc.exe (PID: 3648)
      • rsHelper.exe (PID: 7644)
      • rsEDRSvc.exe (PID: 940)
      • rsEDRSvc.exe (PID: 740)
      • rsAppUI.exe (PID: 5304)

    • Checks proxy server information

      • file_Nu5nh-1.tmp (PID: 7196)
      • simple-sticky-notes_Nu5nh-1.tmp (PID: 8152)
      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • WerFault.exe (PID: 8144)
      • WerFault.exe (PID: 7260)
      • ssn.exe (PID: 3296)
      • rsWSC.exe (PID: 5816)
      • rsAppUI.exe (PID: 5304)

    • Disables trace logs

      • prod0.exe (PID: 7724)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsEngineSvc.exe (PID: 3648)
      • rsEDRSvc.exe (PID: 740)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 7852)
      • simple-sticky-notes.tmp (PID: 1812)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 7080)
      • rsEngineSvc.exe (PID: 3648)
      • rsEDRSvc.exe (PID: 940)
      • rsEDRSvc.exe (PID: 740)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 8144)
      • WerFault.exe (PID: 7260)
      • UnifiedStub-installer.exe (PID: 7852)
      • rsWSC.exe (PID: 5816)
      • rsEngineSvc.exe (PID: 3648)
      • rsAppUI.exe (PID: 5304)
      • rsAppUI.exe (PID: 7992)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 7852)
      • rsWSC.exe (PID: 3548)
      • rsEngineSvc.exe (PID: 3648)
      • rsHelper.exe (PID: 7644)
      • rsEDRSvc.exe (PID: 740)

    • Creates a software uninstall entry

      • simple-sticky-notes.tmp (PID: 1812)

    • Manual execution by a user

      • ssn.exe (PID: 7648)
      • ssn.exe (PID: 7200)
      • ssn.exe (PID: 8860)
      • ssn.exe (PID: 8896)

    • Reads the time zone

      • runonce.exe (PID: 7720)
      • rsEDRSvc.exe (PID: 740)
      • rsEngineSvc.exe (PID: 3648)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7720)

    • Sends debugging messages

      • rsEngineSvc.exe (PID: 3648)
      • rsEDRSvc.exe (PID: 740)

    • Reads product name

      • rsEDRSvc.exe (PID: 740)
      • rsEngineSvc.exe (PID: 3648)
      • rsAppUI.exe (PID: 5304)

    • Reads CPU info

      • rsEDRSvc.exe (PID: 740)
      • rsEngineSvc.exe (PID: 3648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
105
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs simple-sticky-notes_nu5nh-1.exe simple-sticky-notes_nu5nh-1.tmp no specs simple-sticky-notes_nu5nh-1.exe simple-sticky-notes_nu5nh-1.tmp file_nu5nh-1.exe #INNOSETUP file_nu5nh-1.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs prod0.exe atpcib5s.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs simple-sticky-notes.exe simple-sticky-notes.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs ssn.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs ssn.exe no specs msedge.exe rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe msedge.exe no specs THREAT rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs THREAT rsenginesvc.exe THREAT rshelper.exe no specs ssn.exe no specs rsedrsvc.exe no specs THREAT rsedrsvc.exe epp.exe no specs rsappui.exe no specs msedge.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rslitmus.a.exe no specs rsappui.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ssn.exe no specs ssn.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5484 --field-trial-handle=2416,i,13511861984057761512,17217177388750732535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
740"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
services.exe
User:
SYSTEM
Company:
Reason Cybersecurity Ltd.
Integrity Level:
SYSTEM
Description:
Reason EDR Service
Version:
2.2.0
Modules
Images
c:\program files\reasonlabs\edr\rsedrsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
788\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exersClientSvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
940"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exeUnifiedStub-installer.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
HIGH
Description:
Reason EDR Service
Exit code:
0
Version:
2.2.0
Modules
Images
c:\program files\reasonlabs\edr\rsedrsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6584 --field-trial-handle=2416,i,13511861984057761512,17217177388750732535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewevtutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1232"C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2404,i,5057993882544066042,5207737001082417675,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:1C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exersAppUI.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
LOW
Description:
ReasonLabs Application
Version:
1.6.0
Modules
Images
c:\program files\reasonlabs\common\client\v1.6.0\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1568"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2416,i,13511861984057761512,17217177388750732535,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1656"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://d2jb0me8mxi5vc.cloudfront.net/82UOH6p/bMLg/simple-sticky-notes.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1692"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Client Service
Version:
5.38.0
Modules
Images
c:\program files\reasonlabs\epp\rsclientsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
61 210
Read events
60 863
Write events
276
Delete events
71

Modification events

(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1656) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
879A19CAAF802F00
(PID) Process:(1656) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
DBC120CAAF802F00
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459550
Operation:writeName:WindowTabManagerFileMappingId
Value:
{15251E30-0256-4EFD-B80B-5C2ABF78ED03}
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459550
Operation:writeName:WindowTabManagerFileMappingId
Value:
{990B20F7-59F8-480E-84B0-A92F63A843F3}
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(1656) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
Executable files
549
Suspicious files
604
Text files
197
Unknown types
11

Dropped files

PID
Process
Filename
Type
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF129fb3.TMP
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF129fc2.TMP
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF129fc2.TMP
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF129ff1.TMP
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF129ff1.TMP
MD5:
SHA256:
1656msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
231
DNS requests
195
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1656
msedge.exe
GET
200
52.6.97.148:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCEFt%2FVDgl5BqhKt4hQ5zf5m8%3D
unknown
whitelisted
1656
msedge.exe
GET
200
52.6.97.148:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCEFt%2FVDgl5BqhKt4hQ5zf5m8%3D
unknown
whitelisted
1656
msedge.exe
GET
200
52.85.65.99:80
http://crls.ssl.com/ssl.com-rsa-RootCA.crl
unknown
whitelisted
1656
msedge.exe
GET
200
52.6.97.148:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS0UJ9%2FZn2kc3RfVu9A%2FfyFSdQVAwQURPou5oAhpEaXDmroM7xTEWZNqbkCEF4bdHMJUrH6Pg1KnFCo2r4%3D
unknown
whitelisted
1656
msedge.exe
GET
200
52.85.65.99:80
http://crls.ssl.com/DTNT-Intermediate-codeSigning-RSA-4096-R2.crl
unknown
whitelisted
1656
msedge.exe
GET
200
52.85.65.99:80
http://crls.ssl.com/DTNT-Intermediate-codeSigning-RSA-4096-R2.crl
unknown
whitelisted
7216
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6872
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5612
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6268
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6872
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
1964
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1656
msedge.exe
239.255.255.250:1900
whitelisted
1964
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1964
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 88.221.169.152
whitelisted
google.com
  • 172.217.18.14
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
d2jb0me8mxi5vc.cloudfront.net
  • 108.138.34.95
  • 108.138.34.174
  • 108.138.34.106
  • 108.138.34.100
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 23.48.23.152
  • 23.48.23.151
  • 2.19.126.152
  • 2.19.126.145
whitelisted

Threats

PID
Process
Class
Message
7196
file_Nu5nh-1.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7196
file_Nu5nh-1.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Process
Message
rsEngineSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
rsEDRSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://d2jb0me8mxi5vc.cloudfront.net/82UOH6p/bMLg/simple-sticky-notes.exe