Malware analysis https://auth.services.adobe.com/en_US/deeplink.html?deeplink=ssofirst&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FSunbreakWebUI1%2FAdobeID%2Ftoken%3Fredirect_uri%3Dhttps%253A%252F%252Faccount.adobe.com%252F%253Flang%253Den%2523old_hash%253D%2526from_ims%253Dtrue%2526client_id%253DSunbreakWebUI1%2526api%253Dauthorize%2526scope%253DAdobeID%252Copenid%252Cacct_mgmt_api%252Cgnav%252Cread_countries_regions%252Csocial.link%252Cunlink_social_account%252Cadditional_info.address.mail_to%252Cclient.scopes.read%252Cpublisher.read%252Cadditional_info.account_type%252Cadditional_info.roles%252Cadditional_info.social%252Cadditional_info.screen_name%252Cadditional_info.optionalAgreements%252Cadditional_info.secondary_email%252Cadditional_info.secondary_email_verified%252Cadditional_info.phonetic_name%252Cadditional_info.dob%252Cupdate_profile.all%252Csecurity_profile.read%252Csecurity_profile.update%252Cadmin_manage_user_consent%252Cadmin_slo%252Cpiip_write%252Cmps%252Clast_password_update%252Cupdate_email%252Caccount_cluster.read%252Caccount_cluster.update%252Cadditional_info.authenticatingAccount%2526reauth%253Dtrue%26state%3D%257B%2522jslibver%2522%253A%2522v2-v0.31.0-2-g1e8a8a8%2522%252C%2522nonce%2522%253A%25221271451663199186%2522%257D%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=SunbreakWebUI1&scope=AdobeID%2Copenid%2Cacct_mgmt_api%2Cgnav%2Cread_countries_regions%2Csocial.link%2Cunlink_social_account%2Cadditional_info.address.mail_to%2Cclient.scopes.read%2Cpublisher.read%2Cadditional_info.account_type%2Cadditional_info.roles%2Cadditional_info.social%2Cadditional_info.screen_name%2Cadditional_info.optionalAgreements%2Cadditional_info.secondary_email%2Cadditional_info.secondary_email_verified%2Cadditional_info.phonetic_name%2Cadditional_info.dob%2Cupdate_profile.all%2Csecurity_profile.read%2Csecurity_profile.update%2Cadmin_manage_user_consent%2Cadmin_slo%2Cpiip_write%2Cmps%2Clast_password_update%2Cupdate_email%2Caccount_cluster.read%2Caccount_cluster.update%2Cadditional_info.authenticatingAccount%2Creauthenticated&denied_callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fdenied%2FSunbreakWebUI1%3Fredirect_uri%3Dhttps%253A%252F%252Faccount.adobe.com%252F%253Flang%253Den%2523old_hash%253D%2526from_ims%253Dtrue%2526client_id%253DSunbreakWebUI1%2526api%253Dauthorize%2526scope%253DAdobeID%252Copenid%252Cacct_mgmt_api%252Cgnav%252Cread_countries_regions%252Csocial.link%252Cunlink_social_account%252Cadditional_info.address.mail_to%252Cclient.scopes.read%252Cpublisher.read%252Cadditional_info.account_type%252Cadditional_info.roles%252Cadditional_info.social%252Cadditional_info.screen_name%252Cadditional_info.optionalAgreements%252Cadditional_info.secondary_email%252Cadditional_info.secondary_email_verified%252Cadditional_info.phonetic_name%252Cadditional_info.dob%252Cupdate_profile.all%252Csecurity_profile.read%252Csecurity_profile.update%252Cadmin_manage_user_consent%252Cadmin_slo%252Cpiip_write%252Cmps%252Clast_password_update%252Cupdate_email%252Caccount_cluster.read%252Caccount_cluster.update%252Cadditional_info.authenticatingAccount%2526reauth%253Dtrue%26response_type%3Dtoken%26state%3D%257B%2522jslibver%2522%253A%2522v2-v0.31.0-2-g1e8a8a8%2522%252C%2522nonce%2522%253A%25221271451663199186%2522%257D&state=%7B%22jslibver%22%3A%22v2-v0.31.0-2-g1e8a8a8%22%2C%22nonce%22%3A%221271451663199186%22%7D&relay=479a9ded-14ff-4d07-9052-1b80dba1114d&locale=en_US&flow_type=token&idp_flow_type=login&reauthenticate=force&ab_test=social-prio-just-white-with-distance%7Csocial-prio-just-white%7Creference&s_p=google%2Cfacebook%2Capple&response_type=token#/ Malicious activity

Add for printing

URL:	https://auth.services.adobe.com/en_US/deeplink.html?deeplink=ssofirst&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FSunbreakWebUI1%2FAdobeID%2Ftoken%3Fredirect_uri%3Dhttps%253A%252F%252Faccount.adobe.com%252F%253Flang%253Den%2523old_hash%253D%2526from_ims%253Dtrue%2526client_id%253DSunbreakWebUI1%2526api%253Dauthorize%2526scope%253DAdobeID%252Copenid%252Cacct_mgmt_api%252Cgnav%252Cread_countries_regions%252Csocial.link%252Cunlink_social_account%252Cadditional_info.address.mail_to%252Cclient.scopes.read%252Cpublisher.read%252Cadditional_info.account_type%252Cadditional_info.roles%252Cadditional_info.social%252Cadditional_info.screen_name%252Cadditional_info.optionalAgreements%252Cadditional_info.secondary_email%252Cadditional_info.secondary_email_verified%252Cadditional_info.phonetic_name%252Cadditional_info.dob%252Cupdate_profile.all%252Csecurity_profile.read%252Csecurity_profile.update%252Cadmin_manage_user_consent%252Cadmin_slo%252Cpiip_write%252Cmps%252Clast_password_update%252Cupdate_email%252Caccount_cluster.read%252Caccount_cluster.update%252Cadditional_info.authenticatingAccount%2526reauth%253Dtrue%26state%3D%257B%2522jslibver%2522%253A%2522v2-v0.31.0-2-g1e8a8a8%2522%252C%2522nonce%2522%253A%25221271451663199186%2522%257D%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=SunbreakWebUI1&scope=AdobeID%2Copenid%2Cacct_mgmt_api%2Cgnav%2Cread_countries_regions%2Csocial.link%2Cunlink_social_account%2Cadditional_info.address.mail_to%2Cclient.scopes.read%2Cpublisher.read%2Cadditional_info.account_type%2Cadditional_info.roles%2Cadditional_info.social%2Cadditional_info.screen_name%2Cadditional_info.optionalAgreements%2Cadditional_info.secondary_email%2Cadditional_info.secondary_email_verified%2Cadditional_info.phonetic_name%2Cadditional_info.dob%2Cupdate_profile.all%2Csecurity_profile.read%2Csecurity_profile.update%2Cadmin_manage_user_consent%2Cadmin_slo%2Cpiip_write%2Cmps%2Clast_password_update%2Cupdate_email%2Caccount_cluster.read%2Caccount_cluster.update%2Cadditional_info.authenticatingAccount%2Creauthenticated&denied_callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fdenied%2FSunbreakWebUI1%3Fredirect_uri%3Dhttps%253A%252F%252Faccount.adobe.com%252F%253Flang%253Den%2523old_hash%253D%2526from_ims%253Dtrue%2526client_id%253DSunbreakWebUI1%2526api%253Dauthorize%2526scope%253DAdobeID%252Copenid%252Cacct_mgmt_api%252Cgnav%252Cread_countries_regions%252Csocial.link%252Cunlink_social_account%252Cadditional_info.address.mail_to%252Cclient.scopes.read%252Cpublisher.read%252Cadditional_info.account_type%252Cadditional_info.roles%252Cadditional_info.social%252Cadditional_info.screen_name%252Cadditional_info.optionalAgreements%252Cadditional_info.secondary_email%252Cadditional_info.secondary_email_verified%252Cadditional_info.phonetic_name%252Cadditional_info.dob%252Cupdate_profile.all%252Csecurity_profile.read%252Csecurity_profile.update%252Cadmin_manage_user_consent%252Cadmin_slo%252Cpiip_write%252Cmps%252Clast_password_update%252Cupdate_email%252Caccount_cluster.read%252Caccount_cluster.update%252Cadditional_info.authenticatingAccount%2526reauth%253Dtrue%26response_type%3Dtoken%26state%3D%257B%2522jslibver%2522%253A%2522v2-v0.31.0-2-g1e8a8a8%2522%252C%2522nonce%2522%253A%25221271451663199186%2522%257D&state=%7B%22jslibver%22%3A%22v2-v0.31.0-2-g1e8a8a8%22%2C%22nonce%22%3A%221271451663199186%22%7D&relay=479a9ded-14ff-4d07-9052-1b80dba1114d&locale=en_US&flow_type=token&idp_flow_type=login&reauthenticate=force&ab_test=social-prio-just-white-with-distance%7Csocial-prio-just-white%7Creference&s_p=google%2Cfacebook%2Capple&response_type=token#/
Full analysis:	https://app.any.run/tasks/4b1e491c-05c2-40d1-aa40-94c1110e0388
Verdict:	Malicious activity
Analysis date:	April 26, 2023, 17:12:39
OS:	Windows 10 Professional (build: 19044, 32 bit)
Indicators:
MD5:	657821F270E018C8B6A795C6B24D6D3C
SHA1:	03F6F57E0AB46DF951AE332B124ABEA3AD93C146
SHA256:	A21358308E94D30C3AC6C70596ECE48EEAD0149FE790E5539196E4C28E13D52F
SSDEEP:	48:gq+KkMLJtLBw6t5MOZ3f+0dP2FoSnk57p30a8oemeBoxMLJtLBw6t5MOZ3f+0QiQ:LUM2ru0CNyqM2Sy+NY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader (22.003.20314)
Adobe Acrobat Reader (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (103.0.5060.134)
Google Chrome (103.0.5060.134)
Google Update Helper (1.3.33.23)
Google Update Helper (1.3.33.23)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 92 (8.0.920.14)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge WebView2 Runtime (105.0.1343.50)
Microsoft Edge WebView2 Runtime (105.0.1343.50)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox (x86 en-US) (111.0.1)
Mozilla Firefox (x86 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.16026.20146)
Opera 12.15 (12.15.1748)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Skype™ 7.39 (7.39.102)
Update for Windows 10 (KB4023057) (2.13.0.0)
Update for Windows 10 (KB4023057) (2.13.0.0)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - iexplore.exe (PID: 3500)
  - msedge.exe (PID: 696)
- The process checks LSA protection
  - identity_helper.exe (PID: 5376)
  - cookie_exporter.exe (PID: 5736)
- Create files in a temporary directory
  - iexplore.exe (PID: 3500)
  - msedge.exe (PID: 4576)
  - msedge.exe (PID: 696)
- Checks supported languages
  - identity_helper.exe (PID: 5376)
  - cookie_exporter.exe (PID: 5736)
- Reads the computer name
  - identity_helper.exe (PID: 5376)
  - cookie_exporter.exe (PID: 5736)
- Checks proxy server information
  - cookie_exporter.exe (PID: 5736)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

116

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

696

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=60220

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

ie_to_edge_stub.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

820

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2476 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:8

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcryptprimitives.dll

844

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:8

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

880

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4160 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

1072

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4544 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

1092

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4460 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll

1416

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3408 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

1416

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6572 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

1524

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4600 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

1568

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6420 --field-trial-handle=1828,i,10026082725889725608,2773254107987039600,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

Add for printing

Total events

21 660

Read events

21 402

Write events

226

Delete events

Modification events


(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	OperationalData
Value: 0C00000000000000
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation
Operation:	write	Name:	CVListXMLVersionLow
Value: 395196024
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation
Operation:	write	Name:	CVListXMLVersionHigh
Value: 268435456
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Spartan
Operation:	write	Name:	RAC_LaunchFlags
Value: 53
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\GPU
Operation:	write	Name:	SoftwareFallback
Value: 0
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\GPU
Operation:	write	Name:	VendorId
Value: 5140
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\GPU
Operation:	write	Name:	DeviceId
Value: 140
(PID) Process:	(3500) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\GPU
Operation:	write	Name:	SubSysId
Value: 0

Add for printing

Executable files

142

Suspicious files

1 911

Text files

426

Unknown types

Dropped files

PID	Process	Filename		Type
696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF31f137.TMP		—
		MD5:—	SHA256:—
696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
696	msedge.exe	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\CRASHPAD\SETTINGS.DAT		binary
		MD5:92D9CD16583CABA0C0A8812C51FCD2F3	SHA256:B0548F823DA8030F6EF729D21AE8798C62736DD02B8EF1B72254961F20F0CD48
3132	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE		binary
		MD5:CCA0D061405B610F4AAA52488A4F3A0D	SHA256:B90418B37E24A13201982FD6981612A8C4E21608BD643FA731536C76D700CD58
3132	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE		binary
		MD5:E9D5BC629A44A2C05F24433D5F4C8B56	SHA256:5E51F44222BC04BF8870A1ADC09280F4060B95ECAC675FDA16BB12EA6D1B7AA9
696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal		—
		MD5:—	SHA256:—
696	msedge.exe	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\VARIATIONS		binary
		MD5:67408267EF01ED6B9372F04C029B602A	SHA256:B5AA30B0D3E08F80F60EFFA00FE335D2295FA494B36F33A2E8D8C66E0A34234A
696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\index		binary
		MD5:15F212D94A93B97C3CC1E5854B1239F3	SHA256:B21772C5CCEA78F8F8D42AFDEABB8564B337835A637F15FD5D3F701412FEBC50
696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1		vxd
		MD5:259E7ED5FB3C6C90533B963DA5B2FC1B	SHA256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Version		text
		MD5:D6DB6EA02FE506F2DA98F1C137243587	SHA256:126173A7D7D0F54A9FCE5465180BC49DB023E723A41BB55A0F9497BE76FBAA28

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

109

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1216	svchost.exe	HEAD	200	209.197.3.8:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/609c7d80-bdfc-4462-8956-bdcb8d63d072?P1=1683100756&P2=404&P3=2&P4=mwmiareEI%2f5vJE21Ry7b0yOKbDpDuQdmO%2ffOSEzLXm3E7UM6wdv2suhv5TznYhyqzGVuAG65Nd3zfL6EPuwstQ%3d%3d	US	—	—	whitelisted
2248	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.11 Kb	whitelisted
3132	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D	US	der	471 b	whitelisted
1600	svchost.exe	GET	200	23.37.62.128:80	http://x1.c.lencr.org/	DE	binary	717 b	whitelisted
1216	svchost.exe	GET	206	209.197.3.8:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/609c7d80-bdfc-4462-8956-bdcb8d63d072?P1=1683100756&P2=404&P3=2&P4=mwmiareEI%2f5vJE21Ry7b0yOKbDpDuQdmO%2ffOSEzLXm3E7UM6wdv2suhv5TznYhyqzGVuAG65Nd3zfL6EPuwstQ%3d%3d	US	binary	4.98 Kb	whitelisted
1600	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl	unknown	binary	564 b	whitelisted
1216	svchost.exe	GET	206	209.197.3.8:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/609c7d80-bdfc-4462-8956-bdcb8d63d072?P1=1683100756&P2=404&P3=2&P4=mwmiareEI%2f5vJE21Ry7b0yOKbDpDuQdmO%2ffOSEzLXm3E7UM6wdv2suhv5TznYhyqzGVuAG65Nd3zfL6EPuwstQ%3d%3d	US	binary	1.09 Kb	whitelisted
1216	svchost.exe	GET	206	209.197.3.8:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/609c7d80-bdfc-4462-8956-bdcb8d63d072?P1=1683100756&P2=404&P3=2&P4=mwmiareEI%2f5vJE21Ry7b0yOKbDpDuQdmO%2ffOSEzLXm3E7UM6wdv2suhv5TznYhyqzGVuAG65Nd3zfL6EPuwstQ%3d%3d	US	binary	46.7 Kb	whitelisted
1216	svchost.exe	GET	206	209.197.3.8:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/609c7d80-bdfc-4462-8956-bdcb8d63d072?P1=1683100756&P2=404&P3=2&P4=mwmiareEI%2f5vJE21Ry7b0yOKbDpDuQdmO%2ffOSEzLXm3E7UM6wdv2suhv5TznYhyqzGVuAG65Nd3zfL6EPuwstQ%3d%3d	US	binary	3.36 Kb	whitelisted
1216	svchost.exe	GET	206	209.197.3.8:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/609c7d80-bdfc-4462-8956-bdcb8d63d072?P1=1683100756&P2=404&P3=2&P4=mwmiareEI%2f5vJE21Ry7b0yOKbDpDuQdmO%2ffOSEzLXm3E7UM6wdv2suhv5TznYhyqzGVuAG65Nd3zfL6EPuwstQ%3d%3d	US	binary	8.73 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3132	iexplore.exe	104.102.40.139:443	go.microsoft.com	AKAMAI-AS	DE	malicious
3132	iexplore.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3132	iexplore.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1844	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1844	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1844	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3500	iexplore.exe	104.102.40.139:443	go.microsoft.com	AKAMAI-AS	DE	malicious
1844	msedge.exe	13.107.238.45:443	edgeassetservice.azureedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3500	iexplore.exe	2.23.209.182:443	www.bing.com	Akamai International B.V.	GB	suspicious
3500	iexplore.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
go.microsoft.com	104.102.40.139	whitelisted
www.bing.com	2.23.209.182 2.23.209.133 2.23.209.149 2.23.209.130 2.23.209.189 2.23.209.179	whitelisted
api.bing.com	13.107.5.80	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
config.edge.skype.com	13.107.42.16	malicious
officeclient.microsoft.com	52.109.52.148	whitelisted
edgeassetservice.azureedge.net	13.107.238.45 13.107.237.45	whitelisted
ieonline.microsoft.com	204.79.197.200	whitelisted
nav-edge.smartscreen.microsoft.com	20.31.42.83	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

657821F270E018C8B6A795C6B24D6D3C

03F6F57E0AB46DF951AE332B124ABEA3AD93C146

A21358308E94D30C3AC6C70596ECE48EEAD0149FE790E5539196E4C28E13D52F

48:gq+KkMLJtLBw6t5MOZ3f+0dP2FoSnk57p30a8oemeBoxMLJtLBw6t5MOZ3f+0QiQ:LUM2ru0CNyqM2Sy+NY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

The process checks LSA protection

Create files in a temporary directory

Checks supported languages

Reads the computer name

Checks proxy server information

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings