File name:

file01.ps1

Full analysis: https://app.any.run/tasks/fbc802c1-fd5a-4757-b136-bb4aea33fa87
Verdict: Malicious activity
Analysis date: January 24, 2025, 09:55:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

3B73958074A4698726BF441E11406DC8

SHA1:

7528440B0DF8F28EFAE3007453D47ADC1BAC63C0

SHA256:

A7823ABC972CF3A3BA9C7697A00AEAA23A605AC59175967B1415A2C1455D81CA

SSDEEP:

3072:CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY:CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2600)

    • Execute application with conhost.exe as parent process

      • cmd.exe (PID: 8412)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • IEChooser.exe (PID: 2356)

    • Reads Microsoft Outlook installation path

      • IEChooser.exe (PID: 2356)

    • Executable content was dropped or overwritten

      • RTLCPL.EXE (PID: 5780)

    • Uses WMIC.EXE

      • powershell.exe (PID: 2600)

    • Application launched itself

      • powershell.exe (PID: 2600)
      • ClipUp.exe (PID: 8656)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2600)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 2600)

    • Uses ICACLS.EXE to modify access control lists

      • powershell.exe (PID: 2600)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2600)
      • conhost.exe (PID: 8376)
      • forfiles.exe (PID: 8860)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • powershell.exe (PID: 2600)

    • Reads security settings of Internet Explorer

      • wmplayer.exe (PID: 10512)
      • ShellExperienceHost.exe (PID: 9464)

    • Using 'findstr.exe' to search for text patterns in files and output

      • powershell.exe (PID: 2600)

    • SQL CE related mutex has been found

      • unregmp2.exe (PID: 11004)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 8860)

    • Write to the desktop.ini file (may be used to cloak folders)

      • FXSCOVER.exe (PID: 10388)

    • Process uses IPCONFIG to get network configuration information

      • powershell.exe (PID: 2600)

    • Executes application which crashes

      • hvax64.exe (PID: 11280)
      • hvix64.exe (PID: 11308)

    • Sets XML DOM element text (SCRIPT)

      • FXSCOVER.exe (PID: 10388)

  • INFO

    • Checks supported languages

      • CPLUtl64.exe (PID: 3080)
      • AppVStreamingUX.exe (PID: 836)
      • Alcrmv64.exe (PID: 3876)
      • FlashUtil64_32_0_0_465_pepper.exe (PID: 2324)
      • FlashUtil64_32_0_0_465_Plugin.exe (PID: 5036)
      • SOUNDMAN.EXE (PID: 6116)
      • scp.exe (PID: 6244)
      • RTLCPL.EXE (PID: 5780)
      • ssh-add.exe (PID: 6296)
      • ssh-agent.exe (PID: 6344)
      • ssh-keyscan.exe (PID: 6416)
      • RTBK.EXE (PID: 6848)
      • appidtel.exe (PID: 7980)
      • AggregatorHost.exe (PID: 6432)
      • CPLUtl64.exe (PID: 7240)
      • DataStoreCacheDumpTool.exe (PID: 9244)
      • curl.exe (PID: 8116)
      • deploymentcsphelper.exe (PID: 9404)
      • ShellExperienceHost.exe (PID: 9464)
      • drvinst.exe (PID: 1512)
      • expand.exe (PID: 10512)
      • wmplayer.exe (PID: 10512)
      • setup_wm.exe (PID: 10680)
      • ssh-keygen.exe (PID: 6388)
      • agentactivationruntimestarter.exe (PID: 6384)

    • Reads the computer name

      • AppVStreamingUX.exe (PID: 836)
      • FlashUtil64_32_0_0_465_pepper.exe (PID: 2324)
      • scp.exe (PID: 6244)
      • FlashUtil64_32_0_0_465_Plugin.exe (PID: 5036)
      • ssh-agent.exe (PID: 6344)
      • ssh-keygen.exe (PID: 6388)
      • ssh-keyscan.exe (PID: 6416)
      • RTBK.EXE (PID: 6848)
      • agentactivationruntimestarter.exe (PID: 6384)
      • RTLCPL.EXE (PID: 5780)
      • wmplayer.exe (PID: 10512)
      • extrac32.exe (PID: 11028)
      • setup_wm.exe (PID: 10680)
      • identity_helper.exe (PID: 4220)
      • SOUNDMAN.EXE (PID: 6116)
      • ssh-add.exe (PID: 6296)

    • Reads the machine GUID from the registry

      • AppVStreamingUX.exe (PID: 836)
      • scp.exe (PID: 6244)
      • ssh-add.exe (PID: 6296)
      • ssh-keygen.exe (PID: 6388)
      • ssh-keyscan.exe (PID: 6416)

    • Reads security settings of Internet Explorer

      • IEChooser.exe (PID: 2356)
      • WMIC.exe (PID: 7068)
      • UNPUXHost.exe (PID: 6684)
      • SpeechRuntime.exe (PID: 6560)
      • calc.exe (PID: 8172)
      • AppHostRegistrationVerifier.exe (PID: 7732)
      • OpenWith.exe (PID: 7580)
      • certreq.exe (PID: 7624)
      • cleanmgr.exe (PID: 8472)
      • mmc.exe (PID: 3092)
      • CompMgmtLauncher.exe (PID: 9132)
      • DpiScaling.exe (PID: 9988)
      • powershell_ise.exe (PID: 4512)
      • explorer.exe (PID: 10148)
      • FileHistory.exe (PID: 10256)
      • FXSCOVER.exe (PID: 10388)
      • LaunchTM.exe (PID: 11984)
      • Taskmgr.exe (PID: 10316)

    • Creates files or folders in the user directory

      • IEChooser.exe (PID: 2356)
      • DeviceCensus.exe (PID: 9452)
      • unregmp2.exe (PID: 11004)
      • powershell_ise.exe (PID: 4512)

    • The sample compiled with english language support

      • RTLCPL.EXE (PID: 5780)

    • Reads the software policy settings

      • SpeechRuntime.exe (PID: 6560)
      • DeviceCensus.exe (PID: 9452)
      • powershell_ise.exe (PID: 4512)
      • WerFault.exe (PID: 11596)

    • Create files in a temporary directory

      • RTLCPL.EXE (PID: 5780)
      • ClipUp.exe (PID: 8732)
      • ddodiag.exe (PID: 9380)
      • powershell_ise.exe (PID: 4512)
      • FXSSVC.exe (PID: 11244)
      • licensingdiag.exe (PID: 12116)

    • Application launched itself

      • msedge.exe (PID: 7164)

    • Checks proxy server information

      • SpeechRuntime.exe (PID: 6560)
      • AppHostRegistrationVerifier.exe (PID: 7732)
      • DeviceCensus.exe (PID: 9452)
      • WerFault.exe (PID: 11596)

    • Uses BITSADMIN.EXE

      • powershell.exe (PID: 2600)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6156)
      • powershell_ise.exe (PID: 4512)

    • Disables trace logs

      • cmmon32.exe (PID: 8932)
      • cmstp.exe (PID: 8964)

    • Execution of CURL command

      • powershell.exe (PID: 2600)

    • Process checks computer location settings

      • wmplayer.exe (PID: 10512)

    • Creates files in the program directory

      • mmc.exe (PID: 3092)

    • Failed to create an executable file in Windows directory

      • fixmapi.exe (PID: 10664)

    • Reads the time zone

      • DeviceCensus.exe (PID: 9452)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 10592)

    • Reads Environment values

      • identity_helper.exe (PID: 4220)

    • Checks transactions between databases Windows and Oracle

      • lpksetup.exe (PID: 11760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
552
Monitored processes
388
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs appvstreamingux.exe no specs winresume.exe no specs comrepl.exe no specs migregdb.exe no specs diagnosticshub.standardcollector.service.exe no specs dismhost.exe no specs alcrmv64.exe no specs cplutl64.exe no specs rtlcpl.exe soundman.exe no specs iechooser.exe no specs imjpdct.exe no specs imjpset.exe no specs imjpuex.exe no specs imjpuexc.exe imtclnwz.exe no specs imtcprop.exe no specs imccphr.exe no specs imebroker.exe no specs imecfmui.exe no specs imepadsv.exe no specs imesearch.exe no specs imewdbld.exe no specs chsime.exe no specs chtime.exe no specs flashutil64_32_0_0_465_pepper.exe no specs flashutil64_32_0_0_465_plugin.exe no specs mighost.exe no specs setupplatform.exe no specs audit.exe no specs auditshd.exe no specs firstlogonanim.exe no specs msoobe.exe no specs oobeldr.exe no specs setup.exe no specs useroobebroker.exe no specs windeploy.exe no specs scp.exe no specs sftp.exe no specs ssh-add.exe no specs ssh-agent.exe no specs ssh-keygen.exe no specs ssh-keyscan.exe no specs ssh.exe no specs perceptionsimulationinput.exe no specs perceptionsimulationservice.exe no specs speechuxwiz.exe no specs speechmodeldownload.exe no specs speechruntime.exe printbrm.exe no specs printbrmengine.exe no specs sysprep.exe no specs systemresetplatform.exe no specs unpuxhost.exe no specs unpuxlauncher.exe no specs updatenotificationmgr.exe no specs mofcomp.exe no specs scrcons.exe no specs rtbk.exe no specs unsecapp.exe no specs wbemtest.exe no specs winmgmt.exe no specs wmiadap.exe no specs wmiapsrv.exe no specs wmic.exe no specs wmiprvse.exe no specs facefoduninstaller.exe no specs msedge.exe powershell.exe no specs powershell_ise.exe no specs msedge.exe no specs agentactivationruntimestarter.exe no specs agentservice.exe no specs aggregatorhost.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs aitstatic.exe no specs msedge.exe no specs msedge.exe no specs cplutl64.exe no specs alg.exe no specs apphostregistrationverifier.exe no specs appidcertstorecheck.exe no specs appidpolicyconverter.exe no specs appidtel.exe no specs applicationframehost.exe no specs applysettingstemplatecatalog.exe no specs applytrustoffline.exe no specs approvechildrequest.exe no specs appvclient.exe no specs appvdllsurrogate.exe no specs appvnice.exe no specs appvshnotify.exe no specs appvstreamingux.exe no specs arp.exe no specs assignedaccessguard.exe no specs at.exe no specs atbroker.exe no specs attrib.exe no specs audiodg.exe no specs auditpol.exe no specs authhost.exe no specs autochk.exe no specs autoconv.exe no specs autofmt.exe no specs axinstui.exe no specs baaupdate.exe no specs backgroundtaskhost.exe no specs backgroundtransferhost.exe no specs bcdboot.exe no specs bcdedit.exe no specs bdechangepin.exe no specs bdehdcfg.exe no specs bdeuisrv.exe no specs bdeunlock.exe no specs bioiso.exe no specs bitlockerdeviceencryption.exe no specs bitlockerwizard.exe no specs bitlockerwizardelev.exe no specs bitsadmin.exe no specs bootcfg.exe no specs bootim.exe no specs bootsect.exe no specs bridgeunattend.exe no specs browserexport.exe no specs browser_broker.exe no specs bthudtask.exe no specs bytecodegenerator.exe no specs cacls.exe no specs calc.exe no specs camerasettingsuihost.exe no specs castsrv.exe no specs certenrollctrl.exe no specs certreq.exe no specs certutil.exe no specs change.exe no specs openwith.exe no specs changepk.exe no specs charmap.exe no specs checknetisolation.exe no specs chglogon.exe no specs chgport.exe no specs chgusr.exe no specs chkdsk.exe no specs chkntfs.exe no specs msedge.exe no specs msedge.exe no specs choice.exe no specs cidiag.exe no specs msedge.exe no specs cipher.exe no specs cleanmgr.exe no specs cliconfg.exe no specs clip.exe no specs cliprenew.exe no specs clipup.exe no specs cloudexperiencehostbroker.exe no specs cloudnotifications.exe no specs clipup.exe no specs conhost.exe no specs cmd.exe no specs cmdkey.exe no specs cmdl32.exe no specs cmmon32.exe no specs cmstp.exe no specs cofire.exe no specs colorcpl.exe no specs comp.exe no specs compact.exe no specs compattelrunner.exe no specs compmgmtlauncher.exe no specs msedge.exe no specs comppkgsrv.exe no specs computerdefaults.exe no specs conhost.exe no specs cmd.exe no specs consent.exe no specs control.exe no specs convert.exe no specs convertvhd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs coredpussvr.exe no specs credentialenrollmentmanager.exe no specs explorer.exe no specs credentialuibroker.exe no specs mmc.exe no specs credwiz.exe no specs cscript.exe no specs csrss.exe no specs ctfmon.exe no specs cttune.exe no specs cttunesvr.exe no specs mmc.exe curl.exe no specs custominstallexec.exe no specs customshellhost.exe no specs msedge.exe no specs dashost.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe no specs dataexchangehost.exe no specs COpenControlPanel no specs datastorecachedumptool.exe no specs datausagelivetiletask.exe no specs dccw.exe no specs dcomcnfg.exe no specs ddodiag.exe no specs defrag.exe no specs deploymentcsphelper.exe no specs desktopimgdownldr.exe no specs devicecensus.exe devicecredentialdeployment.exe no specs deviceeject.exe no specs deviceenroller.exe no specs devicepairingwizard.exe no specs msedge.exe no specs deviceproperties.exe no specs dfdwiz.exe no specs dfrgui.exe no specs dialer.exe no specs directxdatabaseupdater.exe no specs diskpart.exe no specs diskperf.exe no specs diskraid.exe no specs disksnapshot.exe no specs dism.exe no specs dispdiag.exe no specs displayswitch.exe no specs djoin.exe no specs dllhost.exe no specs dllhst3g.exe no specs dmcertinst.exe no specs dmcfghost.exe no specs dmclient.exe no specs dmnotificationbroker.exe no specs dmomacpmo.exe no specs dnscacheugc.exe no specs doskey.exe no specs dpapimig.exe no specs dpiscaling.exe no specs driverquery.exe no specs explorer.exe no specs drvinst.exe no specs shellexperiencehost.exe no specs explorer.exe no specs dsmusertask.exe no specs dsregcmd.exe no specs dstokenclean.exe no specs dtuhandler.exe no specs dusmtask.exe no specs dvdplay.exe no specs wmplayer.exe no specs dwm.exe no specs dwwin.exe no specs dxdiag.exe no specs dxgiadaptercache.exe no specs setup_wm.exe no specs unregmp2.exe no specs dxpserver.exe no specs eap3host.exe no specs easeofaccessdialog.exe no specs easinvoker.exe no specs unregmp2.exe no specs easpolicymanagerbrokerhost.exe no specs edpcleanup.exe no specs edpnotify.exe no specs eduprintprov.exe no specs efsui.exe no specs ehstorauthn.exe no specs em.exe no specs eoaexperiences.exe no specs esentutl.exe eudcedit.exe no specs eventcreate.exe no specs eventvwr.exe no specs expand.exe no specs msedge.exe no specs extrac32.exe no specs fc.exe no specs fclip.exe no specs fhmanagew.exe no specs filehistory.exe no specs find.exe no specs findstr.exe no specs finger.exe no specs fixmapi.exe no specs fltmc.exe no specs fodhelper.exe no specs fondue.exe no specs fontdrvhost.exe no specs fontview.exe no specs forfiles.exe no specs cmd.exe no specs fsavailux.exe no specs fsiso.exe no specs fsquirt.exe no specs cmd.exe no specs fsutil.exe no specs cmd.exe no specs ftp.exe no specs cmd.exe no specs fvenotify.exe no specs cmd.exe no specs fveprompt.exe no specs fxscover.exe no specs cmd.exe no specs cmd.exe no specs fxssvc.exe no specs fxsunatd.exe no specs cmd.exe no specs cmd.exe no specs gamebarpresencewriter.exe no specs gameinputsvc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs gamepanel.exe no specs cmd.exe no specs identity_helper.exe no specs identity_helper.exe no specs genvalobj.exe no specs getmac.exe no specs gpresult.exe no specs gpscript.exe no specs gpupdate.exe no specs grpconv.exe no specs hdwwiz.exe no specs help.exe no specs hostname.exe no specs hvax64.exe hvix64.exe hvsievaluator.exe no specs icacls.exe no specs icsentitlementhost.exe no specs icsunattend.exe no specs ie4uinit.exe no specs ie4ushowie.exe no specs iesettingsync.exe no specs werfault.exe no specs werfault.exe ieunatt.exe no specs iexpress.exe no specs immersivetpmvscmgrsvr.exe no specs infdefaultinstall.exe no specs inputswitchtoasthandler.exe no specs iotstartup.exe no specs ipconfig.exe no specs iscsicli.exe no specs iscsicpl.exe no specs isoburn.exe no specs klist.exe no specs ksetup.exe no specs ktmutil.exe no specs label.exe no specs languagecomponentsinstallercomhandler.exe no specs launchtm.exe no specs launchwinapp.exe no specs legacynetuxhost.exe no specs licensemanagershellext.exe no specs taskmgr.exe no specs licensingdiag.exe no specs licensingui.exe no specs locationnotificationwindows.exe no specs locator.exe no specs lockapphost.exe no specs lockscreencontentserver.exe no specs lodctr.exe no specs taskmgr.exe logagent.exe no specs logman.exe no specs logoff.exe no specs logonui.exe no specs lpkinstall.exe no specs lpksetup.exe no specs lpremove.exe no specs tiworker.exe no specs lpksetup.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=6476 --field-trial-handle=2340,i,11207398439605925089,17270839120775077485,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
1073807364
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
748"C:\Windows\System32\Fondue.exe"C:\Windows\System32\Fondue.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Features on Demand UX
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fondue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
776"C:\Windows\System32\IME\SHARED\ImeBroker.exe"C:\Windows\System32\IME\SHARED\ImeBroker.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft IME
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ime\shared\imebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
836"C:\Windows\System32\AppV\AppVStreamingUX.exe"C:\Windows\System32\AppV\AppVStreamingUX.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\appv\appvstreamingux.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1020"C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1184"C:\Windows\System32\HOSTNAME.EXE"C:\Windows\System32\HOSTNAME.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\sechost.dll
1248"C:\Windows\System32\help.exe"C:\Windows\System32\help.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Help Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\help.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
1296"C:\Windows\System32\InputMethod\CHT\ChtIME.exe"C:\Windows\System32\InputMethod\CHT\ChtIME.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft IME
Exit code:
4294967295
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\inputmethod\cht\chtime.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1412"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7056 --field-trial-handle=2340,i,11207398439605925089,17270839120775077485,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3556 --field-trial-handle=2340,i,11207398439605925089,17270839120775077485,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
73 902
Read events
73 276
Write events
609
Delete events
17

Modification events

(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:IMEUserName
Value:
User-MSIME2000
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:Version
Value:
9.0
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:option
Value:
/IT /Y
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:option1
Value:
1376768
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:option2
Value:
0
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:option3
Value:
0
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:style
Value:
NATURAL
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:keystyle
Value:
NATURAL
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:romastyle
Value:
MS-IME
(PID) Process:(3680) IMJPUEX.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IME\15.0\IMEJP\MSIME
Operation:writeName:colstyle
Value:
NATURAL
Executable files
20
Suspicious files
122
Text files
81
Unknown types
1

Dropped files

PID
Process
Filename
Type
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF139cd0.TMP
MD5:
SHA256:
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF139cd0.TMP
MD5:
SHA256:
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2600powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135fd6.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:1C42329800C95BC1DB27E7657711FF1E
SHA256:D58993216FB0CBF52CED6DA4FCAEBFC8FCC7C1A37191954397BA77951B16BE9B
6156powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qbxh3aql.odn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:1E9E15EF6E531C4557100F20C9C76F01
SHA256:46CB063CC268B69B172660F166C4394D5B4EDD802388B3EC16766DEBDB9F86C3
5780RTLCPL.EXEC:\Users\admin\AppData\Local\Temp\RTBK.EXEexecutable
MD5:2CE4EC25271A7EB106787C63B5BD5F79
SHA256:2838CC2653AD5132484A6DB00E5D386AA6EB4AA7A8B0BD71C64FCAF21C1676F6
7164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\562602b9-e83c-4acb-89cd-b42efdf0707c.tmpbinary
MD5:C103D37B4C52446A910A74BEA06373EB
SHA256:7F118FCEC7F9CCD270132068764D655E54D6BCE5FC6FC0FA681E9CA0DC5B79C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
92
DNS requests
82
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5848
svchost.exe
GET
200
2.16.164.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v2.0/analog/NASP_SapiPolicy?os=Windows&deviceclass=Windows.Desktop&deviceid=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&locale=en-US&osver=10.0.19041.1.amd64fre.vb_release.191206-1406&ring=Retail&sku=48
unknown
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?linkid=844161
unknown
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5848
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
301
13.107.246.45:443
https://support.microsoft.com/help/4014916
unknown
GET
301
13.107.246.45:443
https://support.microsoft.com/en-US/windows/9d92e194-36aa-ae41-18f6-fef5459ad86d
unknown
GET
13.107.246.45:443
https://support.microsoft.com/css/sitewide/articleCss-overwrite.css?v=D0lQRoIlvFHSQBRTb-gAQ5KkFe8B8NuSoliBjnT5xZ4
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5848
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5848
svchost.exe
2.16.164.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5848
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 2.21.65.154
  • 2.21.65.132
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.164.99
  • 2.16.164.40
  • 2.16.164.88
  • 2.16.164.107
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.61
whitelisted

Threats

PID
Process
Class
Message
6700
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
6700
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
6700
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
6700
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
6700
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
6700
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
Process
Message
imjpuexc.exe
main: Need command.
imjpuexc.exe
ERROR_LEVEL = 128
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
esentutl.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file01.ps1