Malware analysis Www.google.com Malicious activity | ANY.RUN

Add for printing

URL:	Www.google.com
Full analysis:	https://app.any.run/tasks/732a8482-d565-4bb9-8fc8-594d61f4c0c6
Verdict:	Malicious activity
Analysis date:	December 14, 2024, 02:27:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
MD5:	BD6CBA3DEF4501ECEC0CD849AC0BF345
SHA1:	422239DD4D6C992445D1AB8BE8DF829B5432C4D9
SHA256:	A20F61D619B4A116E8AB9CCADAE0B3AC116E1C4C05B9402695C21A222B0F80FA
SSDEEP:	3:8+K:DK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
Client LanguagePack Package
DotNetRollup
DotNetRollup
DotNetRollup 481
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
Hello Face Package
InternetExplorer Optional Package
InternetExplorer Optional Package
KB4562830
KB5003791
KB5007401
KB5011048
KB5012170
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MediaPlayer Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
OpenSSH Client Package
OpenSSH Client Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
ProfessionalEdition
ProfessionalEdition
QuickAssist Package
QuickAssist Package
RollupFix
RollupFix
ServicingStack
ServicingStack
ServicingStack 1852
ServicingStack 3989
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
TabletPCMath Package
TabletPCMath Package
UserExperience Desktop Package
UserExperience Desktop Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
Xps Xps Viewer Opt Package
Xps Xps Viewer Opt Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Potential Corporate Privacy Violation
  - msedge.exe (PID: 4792)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

171

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
4792	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2604 --field-trial-handle=2320,i,16194277592197507296,15814343983252007256,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

142

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c4		binary
		MD5:F61F0D4D0F968D5BBA39A84C76277E1A	SHA256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF2b5f64.TMP		binary
		MD5:2A21453795942FD88CBB06714604B9FD	SHA256:5DFE0384325B556EE4B8668E502312B9BA6ADC298CD9213DDFA528CB959ADC06
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba		compressed
		MD5:0DC7AF995FD274DAF4BCA96E9518F157	SHA256:BBDB98AFB0632FB6AD7DB35A476A4B971C199D81F6D9E30C577ED48BA46148FF
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb		image
		MD5:55653D73F359016F5BCB0B90183F61DF	SHA256:050CA6FB6DBFD30B004B5013CEF04BEF2739C3E8ED0D9D83B0DE95A9B3E4FEC5
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c6		compressed
		MD5:21506AF30F4B005DB86B0071B76B5319	SHA256:3E72D62E17E8696CA54C061AD9EAAA83DF5DCDD269ECCF220360C5F97085CCFD
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity		binary
		MD5:82AE7EB55589762ECDD3DD3F2E7FF42B	SHA256:8872C1FDB6AE77F18BF58692E278EBC24B9B44D1D74E2C306BF5E9C9AAA17920
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		compressed
		MD5:CA4CA7A61EF712CA74D493361892005B	SHA256:92A94FC2ACE85ECF9E7BD5957517ECCB6A792A934615BD3B818A93083790DF9C
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF2b5d32.TMP		binary
		MD5:15D26FA4E16467BE658F42074AC0DBAA	SHA256:D287407BD901A32E3F38F4392984507184D596C3694FAA69DD0B2E68F9F3A8FE
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\da177f56-70ac-4d94-9b5c-d2d4f36afcca.tmp		binary
		MD5:82AE7EB55589762ECDD3DD3F2E7FF42B	SHA256:8872C1FDB6AE77F18BF58692E278EBC24B9B44D1D74E2C306BF5E9C9AAA17920
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c2		compressed
		MD5:1CB07BCAD1A7DC1C906B84E8D6F37AD3	SHA256:AD8C9B2BFFD74BFE2BF1883D6C329C564A839B7B93C5A508FF5381BEA940DCAC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

278

TCP/UDP connections

204

DNS requests

172

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	HEAD	200	184.30.17.174:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
—	—	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2660	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	13.107.21.239:443	https://edge.microsoft.com/autofillservice/core/page/-4978002286242227096/-7155579881328384192?variations_header=CLUICLMQCLuMywE=	unknown	binary	20 b	whitelisted
—	—	GET	200	13.107.246.45:443	https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=dafSite&IsStable=false	unknown	binary	332 Kb	whitelisted
—	—	GET	200	184.30.17.174:443	https://fs.microsoft.com/fs/windows/config.json	unknown	binary	55 b	whitelisted
—	—	GET	200	13.107.246.45:443	https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=commonConfig&IsStable=false	unknown	binary	481 b	whitelisted
4304	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	OPTIONS	200	142.250.184.234:443	https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData	unknown	—	—	—
—	—	GET	200	142.250.186.68:443	https://www.google.com/async/hpba?yv=3&cs=0&ei=Nu1cZ5bSJZuFwbkP_-aSqAk&async=_basejs:/xjs/_/js/k%3Dxjs.hd.en_US.sulhDQeb0gQ.es5.O/am%3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAFAAAAIAAAAAAgAAAAAAAAAEAQAAAIAAACAAAALAAARDAACAAAIAAAAAEAPMoUAAEiAAAAAAACAAggLAAAAAEAAIAAAAAAAACAAgAAAACAAAAAAABAAAAABAgAAAAAAAAAAAAQAACAHgAAAAAAAABAQAAAMAwMQAAAAAAAAKAPAIIHcEhtAQAAAAAAAAAAAAAAIECCYC4kICAAAQAAAAAAAAAAAAAAAABEmriwAQ/dg%3D0/rs%3DACT90oEm3-J53f-N-YhMj2FwBeswNyFn7A,_basecss:/xjs/_/ss/k%3Dxjs.hd.M7Q_cMuBS-g.L.W.O/am%3DCEgVAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAATdCQAABgCwCxAgAAAAAAAGAEAQgAAIABACEIAArAAABAgASgAAKAAgAKAAAAAQWAEkgIAMAFACkNAzHwAoEACAAIAAYAAZMASiAhAKAAEAAAAAAAAEAAAADAEgEACgAyAADACRAADIHggAAAAAIAgAgJ0AMAwMQAAAAAAAAIAMAAAAcEgNAQAAAAAAAAAAAAAAABCCYCgAoCAAAAAAAAAAAAAAAAAAAAAEmiA/rs%3DACT90oE36aIvbJVTyEg5vOThDOadyQXQ9w,_basecomb:/xjs/_/js/k%3Dxjs.hd.en_US.sulhDQeb0gQ.es5.O/ck%3Dxjs.hd.M7Q_cMuBS-g.L.W.O/am%3DCEgVAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAATdCQAAJgCwCxAgAAAAAAAGAEAQgAAIABACEIAArAAARDgASgAAKAAgAKEAPMoUWAEmgIAMAFACkNgzPwAoEAGAAIAAYAAZMASiAhAKAAGAAAAAAABEAAAADAkgEACgAyAADACRAADIHggAAAAAIAhAwJ0AMAwMQAAAAAAAAKAPAIIHcEhtAQAAAAAAAAAAAAAAIFCCYC4koCAAAQAAAAAAAAAAAAAAAABEmriwAQ/d%3D1/ed%3D1/dg%3D0/ujg%3D1/rs%3DACT90oF61d6XW-fBGLUHAabSUa15CFfk5Q,_fmt:prog,_id:_Nu1cZ5bSJZuFwbkP_-aSqAk_8&sp_imghp=false&sp_hpep=2&sp_hpte=0&vet=10ahUKEwiWxdqUm6aKAxWbQjABHX-zBJUQj-0KCBY..i	unknown	html	2.23 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.251:5353	—	—	—	unknown
6700	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2660	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4304	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4792	msedge.exe	20.42.65.88:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5988	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4792	msedge.exe	104.126.37.131:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4792	msedge.exe	172.217.16.196:443	www.google.com	GOOGLE	US	whitelisted
6552	svchost.exe	184.30.17.174:443	fs.microsoft.com	AKAMAI-AS	DE	whitelisted
4792	msedge.exe	216.58.212.131:443	www.gstatic.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
www.bing.com	104.126.37.131 104.126.37.145 104.126.37.123 104.126.37.144 104.126.37.154 104.126.37.155 2.23.209.140 2.23.209.133 2.23.209.130 2.23.209.182 2.23.209.149 2.23.209.187 104.126.37.130 104.126.37.128 104.126.37.139 104.126.37.163	whitelisted
www.google.com	172.217.16.196 142.250.186.68 142.250.184.228	whitelisted
fs.microsoft.com	184.30.17.174	whitelisted
www.gstatic.com	216.58.212.131 142.250.185.227	whitelisted
xpaywalletcdn.azureedge.net	13.107.246.45	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
ogs.google.com	142.250.184.206	whitelisted

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY DNS Query For XXX Adult Site Top Level Domain
—	—	Potential Corporate Privacy Violation	ET POLICY DNS Query For XXX Adult Site Top Level Domain
—	—	Potential Corporate Privacy Violation	ET POLICY DNS Query For XXX Adult Site Top Level Domain
—	—	Potential Corporate Privacy Violation	ET POLICY DNS Query For XXX Adult Site Top Level Domain
—	—	Potential Corporate Privacy Violation	ET POLICY DNS Query For XXX Adult Site Top Level Domain
—	—	Potential Corporate Privacy Violation	ET POLICY DNS Query For XXX Adult Site Top Level Domain

Add for printing

No debug info

General Info

Www.google.com

BD6CBA3DEF4501ECEC0CD849AC0BF345

422239DD4D6C992445D1AB8BE8DF829B5432C4D9

A20F61D619B4A116E8AB9CCADAE0B3AC116E1C4C05B9402695C21A222B0F80FA

3:8+K:DK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Potential Corporate Privacy Violation

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings