URL:

https://yomst.org/cjyrl4k.php?key=v6pbkx2uk2v8ssetogy4&t1=ALL&t2=me&t3=19&t4=badious-buzzard&t5=whiskey-wat-zaG4Ywve&cid=2e748usft7vc8fe135&type=success

Full analysis: https://app.any.run/tasks/20b5c068-3f86-4084-b0f1-2abf4555ddfb
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 14, 2025, 16:41:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MD5:

D3C76EE1B7706173D36C7D4A844F1C29

SHA1:

A5EF5CC6F39A580122C3933FD03E193798428F0F

SHA256:

9ADDCA6ED89A136D77F6D6A98CEBA84137019A0385CF9F9B79CACB645EC2FEAB

SSDEEP:

3:N82W+XJRpTeBRzCcLOY9Dt5RRYHoMLYuh+e5NAncfXR:22W+5Rp+RT6Y/8cuv5NAEB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • TotalAV_Setup.exe (PID: 7816)

    • Steals credentials from Web Browsers

      • TotalAV.exe (PID: 4648)

    • Actions looks like stealing of personal data

      • TotalAV.exe (PID: 4648)

    • Starts NET.EXE for service management

      • net.exe (PID: 1176)
      • epp-sdk.tmp (PID: 7084)
      • net.exe (PID: 2772)
      • net.exe (PID: 2800)
      • net.exe (PID: 4892)
      • net.exe (PID: 7152)
      • net.exe (PID: 3304)
      • net.exe (PID: 7292)
      • net.exe (PID: 1268)
      • net.exe (PID: 7868)
      • net.exe (PID: 3804)
      • net.exe (PID: 3612)
      • net.exe (PID: 1664)
      • net.exe (PID: 5640)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)

    • Executable content was dropped or overwritten

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)
      • epp-sdk.exe (PID: 300)
      • epp-sdk.tmp (PID: 7084)
      • SecurityService.exe (PID: 4028)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)

    • Reads security settings of Internet Explorer

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)
      • epp-sdk.tmp (PID: 7084)

    • There is functionality for taking screenshot (YARA)

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)

    • Get information on the list of running processes

      • TotalAV_Setup.exe (PID: 7816)

    • The process verifies whether the antivirus software is installed

      • WMIC.exe (PID: 4120)
      • conhost.exe (PID: 4180)
      • WMIC.exe (PID: 6240)
      • conhost.exe (PID: 7144)
      • SecurityService.exe (PID: 6964)
      • conhost.exe (PID: 2140)
      • sc.exe (PID: 5500)
      • subinacl.exe (PID: 7924)
      • TotalAV.exe (PID: 4648)
      • SecurityService.exe (PID: 8064)
      • conhost.exe (PID: 3768)
      • epp-sdk.exe (PID: 300)
      • TotalAV_Setup.exe (PID: 7816)
      • net.exe (PID: 2772)
      • conhost.exe (PID: 7712)
      • conhost.exe (PID: 6820)
      • SecurityService.exe (PID: 4028)
      • fltMC.exe (PID: 5180)
      • conhost.exe (PID: 6340)
      • conhost.exe (PID: 6760)
      • sc.exe (PID: 6136)
      • net.exe (PID: 2800)
      • conhost.exe (PID: 2408)
      • net1.exe (PID: 3100)
      • conhost.exe (PID: 2104)
      • net.exe (PID: 4892)
      • net.exe (PID: 1268)
      • conhost.exe (PID: 6708)
      • epp-sdk.tmp (PID: 7084)
      • net1.exe (PID: 4276)
      • net.exe (PID: 7292)
      • net1.exe (PID: 4784)
      • conhost.exe (PID: 3796)
      • sc.exe (PID: 2148)
      • conhost.exe (PID: 5956)
      • sc.exe (PID: 3992)
      • net1.exe (PID: 1628)
      • net1.exe (PID: 5380)
      • conhost.exe (PID: 7164)
      • sc.exe (PID: 772)
      • net.exe (PID: 5640)
      • sc.exe (PID: 7708)
      • conhost.exe (PID: 1056)
      • net1.exe (PID: 1204)
      • net.exe (PID: 1664)
      • conhost.exe (PID: 7104)
      • conhost.exe (PID: 6892)
      • net1.exe (PID: 6780)
      • conhost.exe (PID: 2968)

    • Uses WMIC.EXE

      • TotalAV_Setup.exe (PID: 7816)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5352)
      • SecurityService.exe (PID: 8064)

    • Process drops legitimate windows executable

      • TotalAV_Setup.exe (PID: 7816)

    • The process drops C-runtime libraries

      • TotalAV_Setup.exe (PID: 7816)

    • Drops a system driver (possible attempt to evade defenses)

      • TotalAV_Setup.exe (PID: 7816)

    • Creates a software uninstall entry

      • TotalAV_Setup.exe (PID: 7816)

    • Creates a new Windows service

      • sc.exe (PID: 5500)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6612)
      • sc.exe (PID: 6136)
      • sc.exe (PID: 6544)
      • sc.exe (PID: 6340)
      • sc.exe (PID: 2148)
      • sc.exe (PID: 6416)
      • sc.exe (PID: 772)
      • sc.exe (PID: 4376)
      • sc.exe (PID: 3992)
      • sc.exe (PID: 7928)
      • sc.exe (PID: 7812)
      • sc.exe (PID: 7708)
      • sc.exe (PID: 5256)
      • sc.exe (PID: 7928)

    • Searches for installed software

      • dllhost.exe (PID: 7720)

    • Application launched itself

      • SecurityService.exe (PID: 8064)

    • Reads the Windows owner or organization settings

      • epp-sdk.tmp (PID: 7084)

    • Write to the desktop.ini file (may be used to cloak folders)

      • epp-sdk.tmp (PID: 7084)

    • Starts SC.EXE for service management

      • epp-sdk.tmp (PID: 7084)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 4200)

    • Checks supported languages

      • identity_helper.exe (PID: 2320)
      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)
      • SecurityService.exe (PID: 6964)
      • subinacl.exe (PID: 7924)
      • TotalAV.exe (PID: 4648)
      • SecurityService.exe (PID: 8064)
      • SecurityService.exe (PID: 4028)
      • epp-sdk.exe (PID: 300)
      • epp-sdk.tmp (PID: 7084)

    • Reads Environment values

      • identity_helper.exe (PID: 2320)

    • Reads the computer name

      • identity_helper.exe (PID: 2320)
      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)
      • SecurityService.exe (PID: 6964)
      • subinacl.exe (PID: 7924)
      • TotalAV.exe (PID: 4648)
      • SecurityService.exe (PID: 8064)
      • epp-sdk.exe (PID: 300)
      • epp-sdk.tmp (PID: 7084)
      • SecurityService.exe (PID: 4028)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7376)
      • msedge.exe (PID: 4200)

    • The sample compiled with english language support

      • msedge.exe (PID: 7376)
      • msedge.exe (PID: 4200)
      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)
      • epp-sdk.tmp (PID: 7084)

    • Create files in a temporary directory

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV_Setup.exe (PID: 7816)
      • TotalAV.exe (PID: 4648)

    • Reads the software policy settings

      • slui.exe (PID: 6576)
      • TotalAV_Setup.exe (PID: 7152)
      • slui.exe (PID: 6516)
      • TotalAV.exe (PID: 4648)
      • SecurityService.exe (PID: 8064)
      • SecurityService.exe (PID: 4028)

    • Reads the machine GUID from the registry

      • TotalAV_Setup.exe (PID: 7152)
      • SecurityService.exe (PID: 4028)
      • epp-sdk.tmp (PID: 7084)

    • Checks proxy server information

      • TotalAV_Setup.exe (PID: 7152)
      • slui.exe (PID: 6516)
      • TotalAV.exe (PID: 4648)

    • Creates files or folders in the user directory

      • TotalAV_Setup.exe (PID: 7152)
      • TotalAV.exe (PID: 4648)

    • Creates files in the program directory

      • TotalAV_Setup.exe (PID: 7816)
      • SecurityService.exe (PID: 6964)
      • SecurityService.exe (PID: 8064)
      • SecurityService.exe (PID: 4028)
      • epp-sdk.tmp (PID: 7084)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4120)
      • WMIC.exe (PID: 6240)

    • Process checks computer location settings

      • SecurityService.exe (PID: 6964)
      • TotalAV_Setup.exe (PID: 7816)
      • TotalAV.exe (PID: 4648)
      • SecurityService.exe (PID: 8064)
      • SecurityService.exe (PID: 4028)

    • Manages system restore points

      • SrTasks.exe (PID: 7956)

    • Disables trace logs

      • SecurityService.exe (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
292
Monitored processes
151
Malicious processes
11
Suspicious processes
14

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs totalav_setup.exe no specs totalav_setup.exe msedge.exe no specs msedge.exe no specs slui.exe totalav_setup.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs SPPSurrogate no specs securityservice.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs subinacl.exe no specs conhost.exe no specs totalav.exe securityservice.exe securityservice.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs epp-sdk.exe msedge.exe no specs epp-sdk.tmp fltmc.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300"epp-sdk.exe" /DIR="C:\Program Files (x86)\TotalAV" /AppData="C:\ProgramData\TotalAV\Endpoint Protection SDK" /License="C:\Program Files (x86)\TotalAV\epp.lic" /LogLevel=Debug /Config="C:\Program Files (x86)\TotalAV\eppconfig.json" /VERYSILENT /LogMaxFileSize=104857600 /WscAppName="TotalAV" /UiPath="C:\Program Files (x86)\TotalAV\TotalAV.exe" /UpdateServer=https://epp.protected.net /UpdateAfterInstall=onC:\Program Files (x86)\TotalAV\epp-sdk.exe
SecurityService.exe
User:
SYSTEM
Company:
Avira Operations GmbH
Integrity Level:
SYSTEM
Description:
Endpoint Protection SDK Setup
Version:
1.0.2410.4113
Modules
Images
c:\program files (x86)\totalav\epp-sdk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
772"sc.exe" delete netprotection_network_filter2C:\Windows\System32\sc.exeepp-sdk.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6296 --field-trial-handle=2344,i,7033962680526903373,16137908676084248949,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856"fltmc.exe" unload rtp_filesystem_filterC:\Windows\System32\fltMC.exeepp-sdk.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Filter Manager Control Program
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1004"fltmc.exe" unload rtp1C:\Windows\System32\fltMC.exeepp-sdk.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Filter Manager Control Program
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7008 --field-trial-handle=2344,i,7033962680526903373,16137908676084248949,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
20 695
Read events
20 434
Write events
243
Delete events
18

Modification events

(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4200) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
169DF363E68E2F00
(PID) Process:(4200) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D1EAFC63E68E2F00
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197346
Operation:writeName:WindowTabManagerFileMappingId
Value:
{47A72860-81DF-4587-B703-F6FE7054048D}
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197346
Operation:writeName:WindowTabManagerFileMappingId
Value:
{1F4C6E08-DB6A-44A7-9220-ED1E9DEB056F}
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197346
Operation:writeName:WindowTabManagerFileMappingId
Value:
{66C4A7B6-96D0-45C9-9AD8-7E278225E333}
(PID) Process:(4200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197346
Operation:writeName:WindowTabManagerFileMappingId
Value:
{1338C686-9066-41A1-B539-44A8A08FC059}
Executable files
539
Suspicious files
711
Text files
387
Unknown types
0

Dropped files

PID
Process
Filename
Type
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10d6e9.TMP
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10d6ca.TMP
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10d6f9.TMP
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10d6e9.TMP
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10d718.TMP
MD5:
SHA256:
4200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
115
DNS requests
92
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5204
svchost.exe
GET
206
217.20.57.35:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5643cf9d-4e0e-4f1a-bd96-6abb91536f90?P1=1742569936&P2=404&P3=2&P4=WiHjUxxyRRRobRcHWgLNhsBDrao78gDdwRMJqwpaUHlcFwFfD0eEpQqJKHsGkBtJWPPgqhdEKnsIyh51C2rGaw%3d%3d
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6040
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7720
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5204
svchost.exe
HEAD
200
217.20.57.35:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5643cf9d-4e0e-4f1a-bd96-6abb91536f90?P1=1742569936&P2=404&P3=2&P4=WiHjUxxyRRRobRcHWgLNhsBDrao78gDdwRMJqwpaUHlcFwFfD0eEpQqJKHsGkBtJWPPgqhdEKnsIyh51C2rGaw%3d%3d
unknown
whitelisted
5204
svchost.exe
GET
206
217.20.57.35:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5643cf9d-4e0e-4f1a-bd96-6abb91536f90?P1=1742569936&P2=404&P3=2&P4=WiHjUxxyRRRobRcHWgLNhsBDrao78gDdwRMJqwpaUHlcFwFfD0eEpQqJKHsGkBtJWPPgqhdEKnsIyh51C2rGaw%3d%3d
unknown
whitelisted
5204
svchost.exe
GET
206
217.20.57.35:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5643cf9d-4e0e-4f1a-bd96-6abb91536f90?P1=1742569936&P2=404&P3=2&P4=WiHjUxxyRRRobRcHWgLNhsBDrao78gDdwRMJqwpaUHlcFwFfD0eEpQqJKHsGkBtJWPPgqhdEKnsIyh51C2rGaw%3d%3d
unknown
whitelisted
7152
TotalAV_Setup.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
7152
TotalAV_Setup.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4200
msedge.exe
239.255.255.250:1900
whitelisted
7376
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 23.53.41.90
  • 23.53.40.202
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.131
  • 40.126.31.131
  • 40.126.31.71
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
yomst.org
  • 162.55.244.120
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.44
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://yomst.org/cjyrl4k.php?key=v6pbkx2uk2v8ssetogy4&t1=ALL&t2=me&t3=19&t4=badious-buzzard&t5=whiskey-wat-zaG4Ywve&cid=2e748usft7vc8fe135&type=success