URL:

http://goragalo.live/burnout-inst2

Full analysis: https://app.any.run/tasks/fa1e12ae-d9f2-40c6-9f7a-d05026c29934
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 06, 2026, 08:38:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
evasion
anti-evasion
stealer
telegram
nodejs
susp-powershell
Indicators:
MD5:

175E849B3352DDF2FC4B72AE8F466EEE

SHA1:

48F3B7CF801BE4861F022B7162B7E5DBCDBB49E1

SHA256:

BBEC18B2271B94607A1FB33950A16B21599060B947E11DB68EB4D5121ED96E99

SSDEEP:

3:N1KZKBMMK0NQn:C0BMLFn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8712)
      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 9200)
      • powershell.exe (PID: 7840)
      • powershell.exe (PID: 8828)
      • powershell.exe (PID: 6408)
      • powershell.exe (PID: 8884)
      • powershell.exe (PID: 8640)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 8632)
      • powershell.exe (PID: 5524)
      • powershell.exe (PID: 9184)

    • Get Monitor Information (POWERSHELL)

      • cmd.exe (PID: 8928)

    • Steals credentials from Web Browsers

      • Setup.exe (PID: 8528)

    • Starts POWERSHELL.EXE for commands execution

      • firefox.exe (PID: 9160)

    • Changes powershell execution policy (Bypass)

      • firefox.exe (PID: 9160)

  • SUSPICIOUS

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 8852)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 8588)
      • cmd.exe (PID: 8700)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 9200)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8772)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8768)
      • cmd.exe (PID: 2724)
      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 8928)
      • cmd.exe (PID: 7452)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 8852)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 8588)
      • cmd.exe (PID: 8700)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 9200)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8772)
      • cmd.exe (PID: 8768)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 2724)
      • cmd.exe (PID: 8928)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8852)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 8588)
      • cmd.exe (PID: 8700)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 9200)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8772)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8768)
      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 2724)
      • cmd.exe (PID: 8928)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8852)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 8588)
      • cmd.exe (PID: 8700)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7648)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8852)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 8588)
      • cmd.exe (PID: 8700)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8928)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8584)
      • firefox.exe (PID: 9160)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8852)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 8588)
      • cmd.exe (PID: 8700)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8928)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8816)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 9200)

    • Searches for installed software

      • reg.exe (PID: 7948)

    • Uses REG/REGEDIT.EXE to modify or delete registry entries

      • cmd.exe (PID: 8772)
      • cmd.exe (PID: 7504)
      • powershell.exe (PID: 9184)

    • Possible stealing from crypto wallets

      • Setup.exe (PID: 8528)

    • Checks for external IP

      • svchost.exe (PID: 2232)
      • Setup.exe (PID: 8528)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5524)

    • Creates file in the systems drive root

      • Setup.exe (PID: 8528)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 9184)

    • Browser headless start

      • msedge.exe (PID: 9112)
      • chrome.exe (PID: 9100)
      • firefox.exe (PID: 9160)

    • Possible stealing of messenger data

      • Setup.exe (PID: 8528)

    • BASE64 encoded PowerShell command has been detected

      • firefox.exe (PID: 9160)

    • Possible stealing of VPN data

      • Setup.exe (PID: 8528)

    • Possible stealing of FTP data

      • Setup.exe (PID: 8528)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 9184)

    • Possible stealing from password managers

      • Setup.exe (PID: 8528)

    • Possible stealing from notes

      • Setup.exe (PID: 8528)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 4968)

    • Checks supported languages

      • identity_helper.exe (PID: 2368)
      • Setup.exe (PID: 8528)
      • csc.exe (PID: 8816)

    • Reads the computer name

      • identity_helper.exe (PID: 2368)
      • Setup.exe (PID: 8528)

    • Reads Environment values

      • identity_helper.exe (PID: 2368)
      • Setup.exe (PID: 8528)

    • Manual execution by a user

      • Setup.exe (PID: 8528)

    • Reads product name

      • Setup.exe (PID: 8528)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 8712)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 8816)
      • Setup.exe (PID: 8528)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8712)

    • Node.js compiler has been detected

      • Setup.exe (PID: 8528)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8296)
      • WMIC.exe (PID: 2220)

    • Search a value from a registry key

      • cmd.exe (PID: 8772)
      • reg.exe (PID: 7948)
      • cmd.exe (PID: 7504)
      • reg.exe (PID: 5116)

    • Reads CPU info

      • Setup.exe (PID: 8528)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 9184)

    • Forces immediate Group Policy refresh

      • gpupdate.exe (PID: 7760)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 9184)

    • Found Base64 encoded file access via PowerShell (YARA)

      • powershell.exe (PID: 9184)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 9184)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • powershell.exe (PID: 9184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
106
Malicious processes
5
Suspicious processes
20

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs setup.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs firefox.exe msedge.exe chrome.exe powershell.exe conhost.exe no specs msedge.exe attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs gpupdate.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
204"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6108,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4796 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
996"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3608,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3876 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1404"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=796,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1772"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5984,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1832"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6340,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1864"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5288,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220wmic baseboard get Product /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4532,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2332"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=1544,i,5874939366859893552,14234670258361091229,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
57 468
Read events
57 457
Write events
11
Delete events
0

Modification events

(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Installer2026.zip
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8240) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(8392) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\admin\AppData\Local\Microsoft\OfficeBroker
Value:
0
Executable files
1
Suspicious files
34
Text files
254
Unknown types
201

Dropped files

PID
Process
Filename
Type
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFe0134.TMP
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe0144.TMP
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe0144.TMP
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFe0144.TMP
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe0163.TMP
MD5:
SHA256:
4968msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe0144.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
77
DNS requests
82
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4260
msedge.exe
GET
302
140.82.121.4:443
https://github.com/remsi-100hkpj/archivetools/releases/download/archivebooms/Installer2026.zip
US
whitelisted
4260
msedge.exe
GET
304
150.171.28.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
4260
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1775464691&lafgdate=0
US
binary
4.60 Kb
whitelisted
4260
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:9gdauNG381VAhK2PlMk4-UBNykRT_xXDpDNCqbc98oY&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
binary
101 b
whitelisted
4260
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
4260
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
314 b
whitelisted
4260
msedge.exe
GET
302
172.67.168.190:443
https://goragalo.live/burnout-inst2
US
binary
123 b
unknown
4260
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1775464691&lafgdate=0
US
binary
43.4 Kb
whitelisted
4260
msedge.exe
GET
200
13.107.253.45:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
4260
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=133.0.3065.92&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D1.2.1%26installedby%3Dother%26uc%26ping%3Dr%253D108%2526e%253D1
US
binary
413 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5276
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8000
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4260
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4260
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4260
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4260
msedge.exe
13.107.253.45:443
api.edgeoffer.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4260
msedge.exe
104.18.22.222:443
copilot.microsoft.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.20.101
  • 142.251.20.102
  • 142.251.20.100
  • 142.251.20.113
  • 142.251.20.138
  • 142.251.20.139
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
goragalo.live
  • 172.67.168.190
  • 104.21.70.233
unknown
api.edgeoffer.microsoft.com
  • 13.107.253.45
  • 13.107.226.45
whitelisted
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted
github.com
  • 140.82.121.4
whitelisted
release-assets.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.222
  • 2.16.241.205
  • 2.16.241.207
whitelisted

Threats

PID
Process
Class
Message
4260
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access release user assets on GitHub
2232
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
8528
Setup.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
9160
firefox.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
8528
Setup.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
2232
svchost.exe
Misc activity
INFO [ANY.RUN] .cc TLD domain request
9100
chrome.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
9112
msedge.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
8000
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://goragalo.live/burnout-inst2