URL:

https://docu-flex.com/DocuFlex.exe

Full analysis: https://app.any.run/tasks/7fafb166-66a8-4f1e-a4c6-ce75871c825d
Verdict: Malicious activity
Analysis date: February 25, 2025, 17:53:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
inno
installer
delphi
Indicators:
MD5:

69028453BCB8FAA18B579CECE50EE4DF

SHA1:

7C13A7CB376E73E27621F69DC356403E6F7D767D

SHA256:

A0F66ED9B27AB387181816E9B184974CB343821C05C32EEEA71E5CF709B7B002

SSDEEP:

3:N8SHITQuSn:2SH43S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • DocuFlex.tmp (PID: 8116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DocuFlex.exe (PID: 7992)
      • DocuFlex.exe (PID: 5728)
      • DocuFlex.tmp (PID: 8116)
      • FoxitPDFReader.exe (PID: 6840)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5492)
      • FoxitPDFReaderUpdateService.exe (PID: 7380)

    • Reads security settings of Internet Explorer

      • DocuFlex.tmp (PID: 8116)
      • DocuFlex.tmp (PID: 7840)
      • CountInstallation.exe (PID: 5164)
      • FoxitUpdater.exe (PID: 7672)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReaderUpdater.exe (PID: 7596)
      • FoxitPDFReader.exe (PID: 6840)

    • Reads the Windows owner or organization settings

      • DocuFlex.tmp (PID: 8116)

    • There is functionality for taking screenshot (YARA)

      • DocuFlex.tmp (PID: 8116)

    • Uses TASKKILL.EXE to kill process

      • DocuFlex.tmp (PID: 8116)

    • Process drops legitimate windows executable

      • DocuFlex.tmp (PID: 8116)

    • The process drops C-runtime libraries

      • DocuFlex.tmp (PID: 8116)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 8140)
      • regsvr32.exe (PID: 7212)
      • regsvr32.exe (PID: 680)
      • regsvr32.exe (PID: 6744)
      • DocuFlex.tmp (PID: 8116)

    • Hides command output

      • regini.exe (PID: 3272)
      • regini.exe (PID: 1120)
      • regini.exe (PID: 7784)
      • regini.exe (PID: 4120)

    • Executes as Windows Service

      • FoxitPDFReaderUpdateService.exe (PID: 7380)

    • Checks Windows Trust Settings

      • CountInstallation.exe (PID: 5164)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReaderUpdater.exe (PID: 7596)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4896)
      • msedge.exe (PID: 232)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7148)
      • BackgroundTransferHost.exe (PID: 3180)
      • BackgroundTransferHost.exe (PID: 3996)
      • BackgroundTransferHost.exe (PID: 8136)
      • BackgroundTransferHost.exe (PID: 4172)
      • explorer.exe (PID: 5492)

    • Checks transactions between databases Windows and Oracle

      • explorer.exe (PID: 5492)

    • Checks supported languages

      • identity_helper.exe (PID: 7520)
      • DocuFlex.exe (PID: 7992)
      • DocuFlex.tmp (PID: 7840)
      • DocuFlex.exe (PID: 5728)
      • DocuFlex.tmp (PID: 8116)
      • FoxitPreviewhost.exe (PID: 6748)
      • FoxitPDFReader.exe (PID: 3180)
      • FoxitPDFReader.exe (PID: 3552)
      • CountInstallation.exe (PID: 5164)
      • FoxitPDFReaderUpdateService.exe (PID: 7380)
      • FoxitPDFReader.exe (PID: 7436)
      • FoxitPDFReaderUpdateService.exe (PID: 5868)
      • FoxitUpdater.exe (PID: 7672)
      • FoxitPDFReaderUpdater.exe (PID: 7596)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReader.exe (PID: 6840)

    • Reads the computer name

      • identity_helper.exe (PID: 7520)
      • DocuFlex.tmp (PID: 8116)
      • DocuFlex.tmp (PID: 7840)
      • FoxitPreviewhost.exe (PID: 6748)
      • FoxitPDFReader.exe (PID: 3180)
      • FoxitPDFReader.exe (PID: 3552)
      • FoxitPDFReader.exe (PID: 7436)
      • FoxitPDFReaderUpdateService.exe (PID: 5868)
      • FoxitPDFReaderUpdateService.exe (PID: 7380)
      • CountInstallation.exe (PID: 5164)
      • FoxitUpdater.exe (PID: 7672)
      • FoxitPDFReader.exe (PID: 6840)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReaderUpdater.exe (PID: 7596)

    • Reads Environment values

      • identity_helper.exe (PID: 7520)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 3180)
      • explorer.exe (PID: 5492)
      • DocuFlex.tmp (PID: 8116)
      • FoxitPDFReader.exe (PID: 3180)
      • FoxitPDFReader.exe (PID: 3552)
      • CountInstallation.exe (PID: 5164)
      • FoxitUpdater.exe (PID: 7672)
      • FoxitPDFReader.exe (PID: 6840)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 3180)
      • explorer.exe (PID: 5492)
      • DocuFlex.tmp (PID: 8116)
      • slui.exe (PID: 6516)
      • CountInstallation.exe (PID: 5164)
      • FoxitUpdater.exe (PID: 7672)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReader.exe (PID: 6840)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 3180)
      • explorer.exe (PID: 5492)
      • slui.exe (PID: 7628)
      • slui.exe (PID: 6516)
      • FoxitUpdater.exe (PID: 7672)
      • CountInstallation.exe (PID: 5164)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReaderUpdateService.exe (PID: 7380)
      • FoxitPDFReaderUpdater.exe (PID: 7596)

    • Create files in a temporary directory

      • DocuFlex.exe (PID: 7992)
      • DocuFlex.exe (PID: 5728)
      • DocuFlex.tmp (PID: 8116)
      • CountInstallation.exe (PID: 5164)
      • FoxitPDFReader.exe (PID: 6840)

    • Process checks computer location settings

      • DocuFlex.tmp (PID: 7840)
      • DocuFlex.tmp (PID: 8116)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)

    • The sample compiled with english language support

      • DocuFlex.tmp (PID: 8116)
      • msedge.exe (PID: 232)

    • Detects InnoSetup installer (YARA)

      • DocuFlex.exe (PID: 7992)
      • DocuFlex.tmp (PID: 7840)
      • DocuFlex.exe (PID: 5728)
      • DocuFlex.tmp (PID: 8116)

    • The sample compiled with chinese language support

      • DocuFlex.tmp (PID: 8116)

    • Compiled with Borland Delphi (YARA)

      • DocuFlex.tmp (PID: 7840)
      • DocuFlex.tmp (PID: 8116)
      • DocuFlex.exe (PID: 7992)
      • DocuFlex.exe (PID: 5728)

    • Application launched itself

      • msedge.exe (PID: 4896)

    • Creates files in the program directory

      • DocuFlex.tmp (PID: 8116)
      • FoxitPDFReaderUpdateService.exe (PID: 7380)
      • FoxitPDFReader.exe (PID: 6840)

    • Creates a software uninstall entry

      • DocuFlex.tmp (PID: 8116)

    • Reads the machine GUID from the registry

      • FoxitPDFReader.exe (PID: 3552)
      • FoxitPDFReader.exe (PID: 3180)
      • FoxitPDFReader.exe (PID: 7436)
      • CountInstallation.exe (PID: 5164)
      • Foxit_PhantomPDF_Setup.exe (PID: 3264)
      • FoxitPDFReader.exe (PID: 6840)
      • FoxitPDFReaderUpdater.exe (PID: 7596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
234
Monitored processes
93
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs Set Network Location Elevated Virtual Factory no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs rundll32.exe no specs explorer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs docuflex.exe docuflex.tmp no specs docuflex.exe docuflex.tmp taskkill.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs foxitpreviewhost.exe no specs foxitpdfreader.exe no specs foxitpdfreader.exe no specs regini.exe no specs conhost.exe no specs regini.exe no specs conhost.exe no specs regini.exe no specs conhost.exe no specs regini.exe no specs conhost.exe no specs foxitpdfreader.exe no specs foxitpdfreaderupdateservice.exe no specs conhost.exe no specs foxitpdfreaderupdateservice.exe countinstallation.exe foxitupdater.exe foxit_phantompdf_setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe foxitpdfreader.exe foxitpdfreaderupdater.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeregini.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5244 --field-trial-handle=2356,i,12116211662600933585,12729852042241890234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\FoxitPDFReaderBrowserAx64.dll"C:\Windows\SysWOW64\regsvr32.exeDocuFlex.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
680 /s "C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\Shell Extensions\FoxitThumbnailHndlr_x64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
968"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7532 --field-trial-handle=2356,i,12116211662600933585,12729852042241890234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7ffc88665fd8,0x7ffc88665fe4,0x7ffc88665ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5664 --field-trial-handle=2356,i,12116211662600933585,12729852042241890234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1120"C:\WINDOWS\SYSTEM32\regini.exe" "C:\Users\admin\AppData\Roaming\Foxit Software\Continuous\Foxit PDF Reader\fileassoc.ini" >NUL 2>&1C:\Windows\SysWOW64\regini.exeFoxitPDFReader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Initializer
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regini.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2548 --field-trial-handle=2356,i,12116211662600933585,12729852042241890234,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7708 --field-trial-handle=2356,i,12116211662600933585,12729852042241890234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 532
Read events
37 287
Write events
1 150
Delete events
95

Modification events

(PID) Process:(4896) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4896) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4896) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4896) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4896) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
34E24C6C918D2F00
(PID) Process:(4896) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
17726A6C918D2F00
(PID) Process:(4896) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262788
Operation:writeName:WindowTabManagerFileMappingId
Value:
{4938201E-B7D6-4C61-8CC9-3F38EE786C29}
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000040284
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000030308
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(4896) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262788
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7A5FF527-ACC8-45D9-814E-150127FA066B}
Executable files
236
Suspicious files
969
Text files
1 229
Unknown types
1

Dropped files

PID
Process
Filename
Type
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF128872.TMP
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF128872.TMP
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF128891.TMP
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF128872.TMP
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1288c0.TMP
MD5:
SHA256:
4896msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
67
TCP/UDP connections
84
DNS requests
80
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5492
explorer.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
1184
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5424
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1740584456&P2=404&P3=2&P4=BHuymgZvPzn5STWgDtkyBRKFOnEq4IndlQKS4tGwJSGmxA1mBXePBs9fcBt%2bDKr5Njvdh3ISSOxYRycuzfP0pw%3d%3d
unknown
whitelisted
5424
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1740584456&P2=404&P3=2&P4=BHuymgZvPzn5STWgDtkyBRKFOnEq4IndlQKS4tGwJSGmxA1mBXePBs9fcBt%2bDKr5Njvdh3ISSOxYRycuzfP0pw%3d%3d
unknown
whitelisted
1184
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5424
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1740584456&P2=404&P3=2&P4=BHuymgZvPzn5STWgDtkyBRKFOnEq4IndlQKS4tGwJSGmxA1mBXePBs9fcBt%2bDKr5Njvdh3ISSOxYRycuzfP0pw%3d%3d
unknown
whitelisted
5424
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1740584456&P2=404&P3=2&P4=BHuymgZvPzn5STWgDtkyBRKFOnEq4IndlQKS4tGwJSGmxA1mBXePBs9fcBt%2bDKr5Njvdh3ISSOxYRycuzfP0pw%3d%3d
unknown
whitelisted
5492
explorer.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5492
explorer.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA2FqeNSXmQAFhubn6LE0mw%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1132
msedge.exe
188.114.96.3:443
docu-flex.com
unknown
1132
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4896
msedge.exe
239.255.255.250:1900
whitelisted
1132
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1132
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1132
msedge.exe
13.107.246.60:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1132
msedge.exe
2.19.11.120:443
bzib.nelreports.net
Elisa Oyj
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
docu-flex.com
  • 188.114.96.3
  • 188.114.97.3
unknown
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.19.11.120
  • 2.19.11.100
  • 23.50.131.95
  • 23.50.131.74
whitelisted
edgeservices.bing.com
  • 23.15.178.242
  • 23.15.178.168
  • 23.15.178.200
  • 23.15.178.185
  • 23.15.178.184
  • 23.15.178.187
  • 23.15.178.234
  • 23.15.178.136
  • 23.15.178.138
whitelisted
update.googleapis.com
  • 142.250.185.195
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://docu-flex.com/DocuFlex.exe