URL:

https://wormhole.app/BER1Oq#vyHGPsA_bo-eequhVhEzjQ

Full analysis: https://app.any.run/tasks/5ce970c8-a271-4b08-abcd-98d7a55e00ac
Verdict: Malicious activity
Threats:

The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.

Malware Trends Tracker     >>>
Analysis date: April 08, 2026, 21:14:16
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
possible-phishing
phish-url
websocket
anti-evasion
evasion
generic
stealer
golang
auto
powershell
etherhiding
susp-powershell
hijackloader
loader
amsi-bypass
arechclient2
backdoor
rat
Indicators:
MD5:

B4877147B826C125ADED186CA5B05804

SHA1:

1F46EFA18858A2D0C64E774F44D050164C8766DB

SHA256:

869BFDECD1FB5984B659500E6189AF25FD13CF5807C7659E34446FAB3DE4D20C

SSDEEP:

3:N8bXINKJujHq6hUQN3n:2kNSujHMY3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • wohrNmlgP.exe (PID: 644)
      • XPFix.exe (PID: 900)

    • GENERIC has been detected (SURICATA)

      • lnstaIer.exe (PID: 2120)

    • Steals credentials from Web Browsers

      • wohrNmlgP.exe (PID: 644)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6424)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)

    • GENERIC has been found (auto)

      • Reflector_Digital21.exe (PID: 1080)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)

    • Changes powershell execution policy (Bypass)

      • conhost.exe (PID: 5036)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)

    • Creates scheduled task from XML file

      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 7084)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • ETHERHIDING has been detected (SURICATA)

      • CheckNetIsolation.exe (PID: 2476)

    • HIJACKLOADER has been detected (YARA)

      • KeAnalyzer.exe (PID: 7888)

    • ARECHCLIENT2 has been detected (SURICATA)

      • KeAnalyzer.exe (PID: 7888)

  • SUSPICIOUS

    • Possibly a phishing URL contains email has been detected

      • msedge.exe (PID: 4432)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2440)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 1716)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 7824)
      • cmd.exe (PID: 6544)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 7044)

    • Reads the Internet Settings

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7736)
      • powershell.exe (PID: 2004)
      • powershell.exe (PID: 5132)
      • lnstaIer.exe (PID: 2120)
      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)
      • KeAnalyzer.exe (PID: 7888)
      • CheckNetIsolation.exe (PID: 2476)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1716)
      • cmd.exe (PID: 7824)
      • cmd.exe (PID: 6544)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 7044)
      • wohrNmlgP.exe (PID: 644)
      • powershell.exe (PID: 6424)
      • conhost.exe (PID: 5036)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4652)

    • Accesses local storage devices (Win32_LogicalDisk) (SCRIPT)

      • powershell.exe (PID: 1764)

    • Executable content was dropped or overwritten

      • lnstaIer.exe (PID: 2120)
      • wohrNmlgP.exe (PID: 644)
      • Reflector_Digital21.exe (PID: 6968)
      • Reflector_Digital21.exe (PID: 1080)
      • csc.exe (PID: 6076)
      • csc.exe (PID: 6136)

    • Checks for external IP

      • lnstaIer.exe (PID: 2120)

    • Searches for installed software

      • wohrNmlgP.exe (PID: 644)
      • KeAnalyzer.exe (PID: 7888)

    • Possible stealing from crypto wallets

      • wohrNmlgP.exe (PID: 644)
      • KeAnalyzer.exe (PID: 7888)

    • Possible stealing from browsers

      • wohrNmlgP.exe (PID: 644)

    • Browser launch with unusual user-data-dir

      • chrome.exe (PID: 7804)
      • chrome.exe (PID: 7808)
      • chrome.exe (PID: 1268)
      • chrome.exe (PID: 4856)
      • chrome.exe (PID: 6524)
      • chrome.exe (PID: 5464)
      • chrome.exe (PID: 4556)
      • chrome.exe (PID: 3192)
      • chrome.exe (PID: 3892)
      • chrome.exe (PID: 3812)
      • chrome.exe (PID: 536)
      • chrome.exe (PID: 6308)
      • chrome.exe (PID: 928)
      • chrome.exe (PID: 3148)
      • chrome.exe (PID: 1940)
      • chrome.exe (PID: 7408)
      • chrome.exe (PID: 3256)
      • chrome.exe (PID: 2840)
      • KeAnalyzer.exe (PID: 7888)
      • chrome.exe (PID: 4736)
      • msedge.exe (PID: 3836)
      • msedge.exe (PID: 5280)

    • Possible stealing from password managers

      • wohrNmlgP.exe (PID: 644)

    • Multiple wallet extension IDs have been found

      • wohrNmlgP.exe (PID: 644)

    • Possible stealing of email data

      • wohrNmlgP.exe (PID: 644)

    • The process bypasses the loading of PowerShell profile settings

      • wohrNmlgP.exe (PID: 644)
      • powershell.exe (PID: 6424)
      • conhost.exe (PID: 5036)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4652)
      • powershell.exe (PID: 4148)

    • The process hides Powershell's copyright startup banner

      • wohrNmlgP.exe (PID: 644)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • The process hide an interactive prompt from the user

      • wohrNmlgP.exe (PID: 644)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 7084)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6424)

    • Enumerate domain computers

      • powershell.exe (PID: 6424)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Enumerate domain/forest trusts

      • powershell.exe (PID: 6424)

    • Starts itself from another location

      • Reflector_Digital21.exe (PID: 6968)

    • Application launched itself

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4652)

    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)

    • The process executes via Task Scheduler

      • conhost.exe (PID: 5036)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • BASE64 encoded PowerShell command has been detected

      • conhost.exe (PID: 5036)

    • Base64-obfuscated command line is found

      • conhost.exe (PID: 5036)

    • Manipulates environment variables

      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6076)
      • csc.exe (PID: 6136)

    • Reads settings of System Certificates

      • CheckNetIsolation.exe (PID: 2476)
      • KeAnalyzer.exe (PID: 7888)

    • Browser sandbox disabling

      • chrome.exe (PID: 4736)
      • chrome.exe (PID: 5476)
      • chrome.exe (PID: 2512)
      • chrome.exe (PID: 5752)
      • chrome.exe (PID: 1320)
      • chrome.exe (PID: 7036)
      • chrome.exe (PID: 3728)
      • chrome.exe (PID: 7768)
      • chrome.exe (PID: 4608)
      • msedge.exe (PID: 3836)
      • chrome.exe (PID: 1416)
      • msedge.exe (PID: 5280)
      • msedge.exe (PID: 6260)
      • msedge.exe (PID: 2388)
      • msedge.exe (PID: 3508)
      • msedge.exe (PID: 2540)
      • msedge.exe (PID: 3048)
      • msedge.exe (PID: 7816)
      • msedge.exe (PID: 4228)
      • msedge.exe (PID: 7668)
      • msedge.exe (PID: 960)
      • msedge.exe (PID: 2460)
      • msedge.exe (PID: 5536)
      • msedge.exe (PID: 1700)
      • msedge.exe (PID: 3452)
      • msedge.exe (PID: 7044)
      • msedge.exe (PID: 1580)
      • msedge.exe (PID: 7340)
      • msedge.exe (PID: 2624)
      • msedge.exe (PID: 1452)
      • msedge.exe (PID: 760)
      • msedge.exe (PID: 4892)

    • Potential Corporate Privacy Violation

      • CheckNetIsolation.exe (PID: 2476)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • KeAnalyzer.exe (PID: 7888)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 4432)
      • msedge.exe (PID: 7872)
      • chrome.exe (PID: 7804)
      • chrome.exe (PID: 7808)
      • chrome.exe (PID: 1268)
      • chrome.exe (PID: 4556)
      • chrome.exe (PID: 3192)
      • chrome.exe (PID: 5464)
      • chrome.exe (PID: 6524)
      • chrome.exe (PID: 3892)
      • chrome.exe (PID: 4856)
      • chrome.exe (PID: 3812)
      • chrome.exe (PID: 3148)
      • chrome.exe (PID: 6308)
      • chrome.exe (PID: 928)
      • chrome.exe (PID: 536)
      • chrome.exe (PID: 1940)
      • chrome.exe (PID: 7408)
      • chrome.exe (PID: 3256)
      • chrome.exe (PID: 2840)
      • chrome.exe (PID: 4736)
      • msedge.exe (PID: 3836)
      • msedge.exe (PID: 5280)

    • Reads the computer name

      • identity_helper.exe (PID: 7400)
      • identity_helper.exe (PID: 6664)
      • lnstaIer.exe (PID: 2120)
      • wohrNmlgP.exe (PID: 644)
      • Reflector_Digital21.exe (PID: 6968)
      • Reflector_Digital21.exe (PID: 1080)
      • KeAnalyzer.exe (PID: 7888)
      • XPFix.exe (PID: 900)

    • Checks supported languages

      • identity_helper.exe (PID: 7400)
      • identity_helper.exe (PID: 6664)
      • lnstaIer.exe (PID: 2120)
      • wohrNmlgP.exe (PID: 644)
      • Reflector_Digital21.exe (PID: 6968)
      • Reflector_Digital21.exe (PID: 1080)
      • KeAnalyzer.exe (PID: 7888)
      • XPFix.exe (PID: 900)
      • csc.exe (PID: 6076)
      • cvtres.exe (PID: 7524)
      • csc.exe (PID: 6136)
      • cvtres.exe (PID: 1532)

    • Reads Environment values

      • identity_helper.exe (PID: 7400)
      • identity_helper.exe (PID: 6664)
      • KeAnalyzer.exe (PID: 7888)

    • Manual execution by a user

      • WinRAR.exe (PID: 4400)
      • lnstaIer.exe (PID: 2120)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4400)
      • msedge.exe (PID: 6332)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 7744)
      • lnstaIer.exe (PID: 2120)

    • The sample compiled with english language support

      • msedge.exe (PID: 6332)
      • wohrNmlgP.exe (PID: 644)
      • Reflector_Digital21.exe (PID: 6968)
      • Reflector_Digital21.exe (PID: 1080)

    • Reads the machine GUID from the registry

      • lnstaIer.exe (PID: 2120)
      • wohrNmlgP.exe (PID: 644)
      • KeAnalyzer.exe (PID: 7888)
      • csc.exe (PID: 6076)
      • csc.exe (PID: 6136)

    • Checks operating system version

      • lnstaIer.exe (PID: 2120)

    • Creates files or folders in the user directory

      • lnstaIer.exe (PID: 2120)
      • Reflector_Digital21.exe (PID: 1080)
      • CheckNetIsolation.exe (PID: 2476)
      • KeAnalyzer.exe (PID: 7888)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4652)

    • Create files in a temporary directory

      • lnstaIer.exe (PID: 2120)
      • powershell.exe (PID: 6424)
      • Reflector_Digital21.exe (PID: 1080)
      • powershell.exe (PID: 4148)
      • XPFix.exe (PID: 900)
      • cvtres.exe (PID: 7524)
      • powershell.exe (PID: 4652)
      • cvtres.exe (PID: 1532)
      • KeAnalyzer.exe (PID: 7888)

    • Application based on Golang

      • wohrNmlgP.exe (PID: 644)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 6424)
      • wohrNmlgP.exe (PID: 644)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)
      • CheckNetIsolation.exe (PID: 2476)

    • The sample compiled with chinese language support

      • wohrNmlgP.exe (PID: 644)
      • Reflector_Digital21.exe (PID: 6968)
      • Reflector_Digital21.exe (PID: 1080)

    • Reads settings of System Certificates

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 7084)
      • powershell.exe (PID: 4148)
      • powershell.exe (PID: 4652)

    • Disables trace logs

      • KeAnalyzer.exe (PID: 7888)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • powershell.exe (PID: 2248)

    • Reads product name

      • KeAnalyzer.exe (PID: 7888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
324
Monitored processes
198
Malicious processes
15
Suspicious processes
5

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs dllhost.exe no specs winrar.exe dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dllhost.exe no specs msedge.exe no specs msedge.exe no specs dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe dllhost.exe no specs #GENERIC lnstaier.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs dllhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wohrnmlgp.exe chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe conhost.exe no specs reflector_digital21.exe #GENERIC reflector_digital21.exe msedge.exe no specs powershell.exe #ARECHCLIENT2 keanalyzer.exe xpfix.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe powershell.exe schtasks.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe msedge.exe no specs #ETHERHIDING checknetisolation.exe csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs checknetisolation.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=2476,i,8997068161583636694,847285425387013311,262144 --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:9C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
252\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
348\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
536C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
wohrNmlgP.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
13
Version:
134.0.6998.36
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\google\chrome\application\134.0.6998.36\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ole32.dll
644C:\Users\admin\AppData\Local\Temp\tmp-31051-PXCydZyBJ0de\wohrNmlgP.exeC:\Users\admin\AppData\Local\Temp\tmp-31051-PXCydZyBJ0de\wohrNmlgP.exe
lnstaIer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tmp-31051-pxcydzybj0de\wohrnmlgp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
760"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\4et4u5hb.kr5" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3916,i,5460940071576514346,7954659114011058130,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
804"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5388,i,8997068161583636694,847285425387013311,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:14C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
900"C:\Users\admin\AppData\Roaming\WSLSvc\XPFix.exe" "C:\Users\admin\AppData\Roaming\WSLSvc\XPFix.exe" /uC:\Users\admin\AppData\Roaming\WSLSvc\XPFix.exeReflector_Digital21.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
360安全卫士 安全防护中心模块
Exit code:
0
Version:
1, 0, 0, 1013
Modules
Images
c:\windows\syswow64\input.dll
c:\users\admin\appdata\roaming\wslsvc\xpfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
928C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
wohrNmlgP.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
13
Version:
134.0.6998.36
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\google\chrome\application\134.0.6998.36\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ole32.dll
960\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
251 905
Read events
251 777
Write events
128
Delete events
0

Modification events

(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Archive.zip
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1201000088000000D20400006B020000
Executable files
19
Suspicious files
953
Text files
953
Unknown types
22

Dropped files

PID
Process
Filename
Type
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\ClientCertificates\LOG.old~RF1490c5.TMP
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\ClientCertificates\LOG.old
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\PersistentOriginTrials\LOG.old~RF1490c5.TMP
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\commerce_subscription_db\LOG.old~RF1490c5.TMP
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\commerce_subscription_db\LOG.old
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\LOG.old~RF1490d4.TMP
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\parcel_tracking_db\LOG.old~RF1490d4.TMP
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\LOG.old
MD5:
SHA256:
4432msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
240
TCP/UDP connections
200
DNS requests
114
Threats
241

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3216
msedge.exe
GET
200
150.171.109.193:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=VN
US
whitelisted
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/framework-834e107486a0d020.js
US
text
126 Kb
unknown
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/main-af16c7bd819172a3.js
US
text
61.2 Kb
unknown
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/webpack-023767403b8f230c.js
US
text
4.60 Kb
unknown
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/9440-f5e8c349bd1c69e7.js
US
text
44.1 Kb
unknown
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/pages/_app-cc6b50f61ae85e58.js
US
text
469 Kb
unknown
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/d7eeaac4-e8982f47558a8e86.js
US
text
3.71 Kb
unknown
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/17007de1-39a13d3cbd6eb7c1.js
US
text
1.42 Kb
unknown
3216
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:fUF8ae5g7Pu1VzzOWmhc5eYWvoo9UspP9NOMTaJIOSE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
100 b
whitelisted
3216
msedge.exe
GET
200
104.26.12.214:443
https://wormhole.app/_next/static/chunks/1485-dafc8cbe8d5e45fb.js
US
text
29.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
52.110.17.25:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1380
svchost.exe
2.18.64.212:80
AKAMAI-ASN1
NL
whitelisted
3216
msedge.exe
104.26.12.214:443
wormhole.app
CLOUDFLARENET
US
suspicious
3876
svchost.exe
239.255.255.250:1900
whitelisted
3216
msedge.exe
150.171.109.193:443
api.edgeoffer.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
msedge.exe
104.18.23.222:443
copilot.microsoft.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.110.17.25
  • 52.110.17.38
  • 52.110.17.46
  • 52.110.17.75
whitelisted
google.com
  • 142.251.13.102
  • 142.251.13.139
  • 142.251.13.113
  • 142.251.13.101
  • 142.251.13.138
  • 142.251.13.100
whitelisted
api.edgeoffer.microsoft.com
  • 150.171.109.193
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
wormhole.app
  • 104.26.12.214
  • 172.67.70.141
  • 104.26.13.214
unknown
config.edge.skype.com
  • 150.171.22.17
whitelisted
copilot.microsoft.com
  • 104.18.23.222
  • 104.18.22.222
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
  • 95.101.23.64
  • 95.101.23.81
  • 95.101.23.83
  • 95.101.23.43
  • 95.101.23.74
  • 95.101.23.75
  • 95.101.23.88
whitelisted
relay.wormhole.app
  • 50.116.12.82
unknown
update.googleapis.com
  • 192.178.183.94
whitelisted

Threats

PID
Process
Class
Message
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (wormhole .app)
3216
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (wormhole .app)
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome78041692125 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome78081692375 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome45561694578 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome12681694765 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome31921696968 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome48561697171 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome65241697593 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome38921697750 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome54641699937 directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChrome38121700093 directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://wormhole.app/BER1Oq#vyHGPsA_bo-eequhVhEzjQ