File name:

X-Plane 12 Global Scenery.torrent

Full analysis: https://app.any.run/tasks/fe8e7210-f8ce-4d96-9cfc-9531a01cf357
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 20, 2024, 19:46:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
loader
netreactor
miner
Indicators:
MIME: application/x-bittorrent
File info: BitTorrent file
MD5:

DB9954EEE3F81367A609020230C636FB

SHA1:

843E4667DD55B82FFB735AD3796E0F2C066F847B

SHA256:

C3DBBB8272EE0A4F23692F695C2C683A4D5B676FC34C0D5D69BA7D444B281471

SSDEEP:

6144:YTNti13XH+SrEphvym4VcISba/m9d81iUqrDmsACNQTNrJ12cUe90+mLLmnf:0i1HfrSyLC9f3hUqrQTNrJMzmgLLmnf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 1944)
      • rsEngineSvc.exe (PID: 6424)
      • rsVPNSvc.exe (PID: 8976)
      • rsDNSSvc.exe (PID: 8620)

    • Changes the autorun value in the registry

      • utweb.exe (PID: 7196)
      • rundll32.exe (PID: 6592)
      • rundll32.exe (PID: 2456)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • utweb_installer.exe (PID: 7500)
      • utweb_installer.exe (PID: 6040)
      • utweb_installer.tmp (PID: 7912)
      • utweb_installer.exe (PID: 7900)
      • component0.exe (PID: 3316)
      • 4rqgbryj.exe (PID: 1104)
      • UnifiedStub-installer.exe (PID: 1944)
      • utweb.exe (PID: 7196)

    • Drops the executable file immediately after the start

      • utweb_installer.exe (PID: 7500)
      • utweb_installer.tmp (PID: 7912)
      • utweb_installer.exe (PID: 6040)
      • utweb_installer.exe (PID: 7900)
      • 4rqgbryj.exe (PID: 1104)
      • component0.exe (PID: 3316)
      • UnifiedStub-installer.exe (PID: 1944)
      • utweb.exe (PID: 7196)

    • Reads the date of Windows installation

      • utweb_installer.tmp (PID: 7576)
      • utweb_installer.tmp (PID: 7912)
      • component0.exe (PID: 3316)
      • rsEDRSvc.exe (PID: 7064)
      • rsEngineSvc.exe (PID: 6424)

    • Reads security settings of Internet Explorer

      • utweb_installer.tmp (PID: 7576)
      • utweb_installer.tmp (PID: 7912)
      • utweb_installer.exe (PID: 7900)
      • component0.exe (PID: 3316)
      • utweb.exe (PID: 7196)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 5700)
      • rsEngineSvc.exe (PID: 1928)
      • rsEDRSvc.exe (PID: 6444)
      • rsEngineSvc.exe (PID: 6424)
      • rsVPNSvc.exe (PID: 8904)
      • rsDNSSvc.exe (PID: 8424)

    • Reads the Windows owner or organization settings

      • utweb_installer.tmp (PID: 7912)

    • Mutex name with non-standard characters

      • utweb_installer.tmp (PID: 7912)

    • The process creates files with name similar to system file names

      • utweb_installer.exe (PID: 7900)
      • UnifiedStub-installer.exe (PID: 1944)

    • Process drops legitimate windows executable

      • utweb_installer.exe (PID: 7900)
      • 4rqgbryj.exe (PID: 1104)
      • UnifiedStub-installer.exe (PID: 1944)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • utweb_installer.exe (PID: 7900)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 1944)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 2628)
      • rsWSC.exe (PID: 320)
      • rsEngineSvc.exe (PID: 6424)
      • rsClientSvc.exe (PID: 3812)
      • WmiApSrv.exe (PID: 5540)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNClientSvc.exe (PID: 8864)
      • rsVPNSvc.exe (PID: 8976)
      • WmiApSrv.exe (PID: 6716)
      • rsDNSClientSvc.exe (PID: 3896)
      • rsDNSSvc.exe (PID: 8620)
      • rsDNSResolver.exe (PID: 8812)
      • WmiApSrv.exe (PID: 8756)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 1944)
      • rsVPNSvc.exe (PID: 8976)

    • Checks Windows Trust Settings

      • utweb.exe (PID: 7196)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 5700)
      • rsEngineSvc.exe (PID: 1928)
      • rsWSC.exe (PID: 320)
      • rsEngineSvc.exe (PID: 6424)
      • rsEDRSvc.exe (PID: 6444)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNSvc.exe (PID: 8904)
      • rsDNSSvc.exe (PID: 8424)

    • Potential Corporate Privacy Violation

      • utweb.exe (PID: 7196)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 5700)
      • rsEngineSvc.exe (PID: 6424)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 1944)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 1944)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 1944)
      • rundll32.exe (PID: 6592)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 1944)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 1944)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 1944)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 1944)

    • Dropped object may contain URLs of mainers pools

      • rsEngineSvc.exe (PID: 6424)

    • Reads the BIOS version

      • rsEDRSvc.exe (PID: 7064)
      • rsEngineSvc.exe (PID: 6424)

    • Application launched itself

      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8772)

    • The process checks if it is being run in the virtual environment

      • rsEngineSvc.exe (PID: 6424)
      • rsVPNSvc.exe (PID: 8976)
      • rsDNSSvc.exe (PID: 8620)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 7064)

    • There is functionality for taking screenshot (YARA)

      • rsHelper.exe (PID: 1280)

    • Connects to unusual port

      • utweb.exe (PID: 7196)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 6768)
      • cmd.exe (PID: 4668)

    • Starts CMD.EXE for commands execution

      • rsDNSSvc.exe (PID: 8620)

  • INFO

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6780)
      • msedge.exe (PID: 7068)
      • msedge.exe (PID: 568)
      • utweb.exe (PID: 7196)

    • Manual execution by a user

      • msedge.exe (PID: 7068)
      • utweb.exe (PID: 8036)
      • utweb.exe (PID: 8644)
      • utweb.exe (PID: 3964)
      • utweb.exe (PID: 8984)

    • Checks supported languages

      • identity_helper.exe (PID: 2132)
      • utweb_installer.exe (PID: 7500)
      • utweb_installer.tmp (PID: 7576)
      • utweb_installer.exe (PID: 6040)
      • utweb_installer.tmp (PID: 7912)
      • utweb_installer.exe (PID: 7900)
      • component0.exe (PID: 3316)
      • 4rqgbryj.exe (PID: 1104)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsSyncSvc.exe (PID: 7924)
      • rsSyncSvc.exe (PID: 2628)
      • utweb.exe (PID: 7196)
      • identity_helper.exe (PID: 7172)
      • helper.exe (PID: 7024)
      • utweb.exe (PID: 8036)
      • rsWSC.exe (PID: 5700)
      • rsWSC.exe (PID: 320)
      • rsClientSvc.exe (PID: 3812)
      • rsEngineSvc.exe (PID: 1928)
      • rsEngineSvc.exe (PID: 6424)
      • rsClientSvc.exe (PID: 8052)
      • rsEDRSvc.exe (PID: 6444)
      • rsHelper.exe (PID: 1280)
      • rsEDRSvc.exe (PID: 7064)
      • EPP.exe (PID: 5492)
      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 2132)
      • rsAppUI.exe (PID: 5084)
      • rsAppUI.exe (PID: 6528)
      • rsAppUI.exe (PID: 8248)
      • rsLitmus.A.exe (PID: 8328)
      • rsVPNClientSvc.exe (PID: 8864)
      • rsVPNSvc.exe (PID: 8904)
      • rsVPNClientSvc.exe (PID: 8816)
      • rsVPNSvc.exe (PID: 8976)
      • VPN.exe (PID: 9104)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8508)
      • rsAppUI.exe (PID: 6188)
      • rsAppUI.exe (PID: 8544)
      • rsAppUI.exe (PID: 8664)
      • rsDNSClientSvc.exe (PID: 3896)
      • rsDNSClientSvc.exe (PID: 8908)
      • utweb.exe (PID: 8644)
      • rsDNSSvc.exe (PID: 8620)
      • rsDNSResolver.exe (PID: 8812)
      • rsDNSSvc.exe (PID: 8424)
      • rsDNSResolver.exe (PID: 9108)
      • rsDNSResolver.exe (PID: 8052)
      • DNS.exe (PID: 8776)
      • rsAppUI.exe (PID: 8772)
      • rsAppUI.exe (PID: 6340)
      • rsAppUI.exe (PID: 4076)
      • rsAppUI.exe (PID: 3244)
      • utweb.exe (PID: 3964)
      • rsAppUI.exe (PID: 6584)
      • rsAppUI.exe (PID: 9600)
      • utweb.exe (PID: 8984)

    • Reads Environment values

      • identity_helper.exe (PID: 2132)
      • component0.exe (PID: 3316)
      • UnifiedStub-installer.exe (PID: 1944)
      • identity_helper.exe (PID: 7172)
      • rsEngineSvc.exe (PID: 6424)
      • rsEDRSvc.exe (PID: 7064)
      • rsAppUI.exe (PID: 1048)
      • rsVPNSvc.exe (PID: 8976)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8772)
      • rsDNSSvc.exe (PID: 8620)

    • Reads the computer name

      • identity_helper.exe (PID: 2132)
      • utweb_installer.tmp (PID: 7576)
      • utweb_installer.tmp (PID: 7912)
      • component0.exe (PID: 3316)
      • utweb_installer.exe (PID: 7900)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsSyncSvc.exe (PID: 7924)
      • utweb.exe (PID: 7196)
      • rsSyncSvc.exe (PID: 2628)
      • identity_helper.exe (PID: 7172)
      • helper.exe (PID: 7024)
      • rsWSC.exe (PID: 5700)
      • rsWSC.exe (PID: 320)
      • rsEngineSvc.exe (PID: 1928)
      • rsClientSvc.exe (PID: 8052)
      • rsClientSvc.exe (PID: 3812)
      • rsEngineSvc.exe (PID: 6424)
      • rsHelper.exe (PID: 1280)
      • rsEDRSvc.exe (PID: 6444)
      • rsEDRSvc.exe (PID: 7064)
      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 5084)
      • rsAppUI.exe (PID: 2132)
      • rsVPNClientSvc.exe (PID: 8816)
      • rsVPNClientSvc.exe (PID: 8864)
      • rsVPNSvc.exe (PID: 8904)
      • rsVPNSvc.exe (PID: 8976)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 6188)
      • rsDNSClientSvc.exe (PID: 8908)
      • rsDNSClientSvc.exe (PID: 3896)
      • rsAppUI.exe (PID: 8544)
      • rsDNSResolver.exe (PID: 8812)
      • rsDNSResolver.exe (PID: 8052)
      • rsDNSSvc.exe (PID: 8424)
      • rsDNSSvc.exe (PID: 8620)
      • rsAppUI.exe (PID: 8772)
      • rsAppUI.exe (PID: 6584)
      • rsAppUI.exe (PID: 6340)
      • rsAppUI.exe (PID: 3244)
      • rsAppUI.exe (PID: 9600)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5888)
      • msedge.exe (PID: 7068)

    • The process uses the downloaded file

      • msedge.exe (PID: 6768)
      • msedge.exe (PID: 7068)
      • msedge.exe (PID: 9388)
      • rsEngineSvc.exe (PID: 6424)

    • Create files in a temporary directory

      • utweb_installer.exe (PID: 7500)
      • utweb_installer.exe (PID: 7900)
      • utweb_installer.tmp (PID: 7912)
      • utweb_installer.exe (PID: 6040)
      • component0.exe (PID: 3316)
      • 4rqgbryj.exe (PID: 1104)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8772)

    • Application launched itself

      • msedge.exe (PID: 7068)
      • msedge.exe (PID: 568)

    • Process checks computer location settings

      • utweb_installer.tmp (PID: 7576)
      • utweb_installer.tmp (PID: 7912)
      • component0.exe (PID: 3316)
      • rsAppUI.exe (PID: 6528)
      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 8248)
      • rsVPNSvc.exe (PID: 8976)
      • rsAppUI.exe (PID: 8664)
      • rsAppUI.exe (PID: 8508)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 4076)
      • rsAppUI.exe (PID: 8772)

    • Reads the software policy settings

      • utweb_installer.tmp (PID: 7912)
      • component0.exe (PID: 3316)
      • utweb.exe (PID: 7196)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 5700)
      • rsEngineSvc.exe (PID: 1928)
      • rsEngineSvc.exe (PID: 6424)
      • rsWSC.exe (PID: 320)
      • rsEDRSvc.exe (PID: 6444)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNSvc.exe (PID: 8904)
      • rsVPNSvc.exe (PID: 8976)
      • rsDNSSvc.exe (PID: 8424)
      • rsDNSSvc.exe (PID: 8620)

    • Reads the machine GUID from the registry

      • utweb_installer.tmp (PID: 7912)
      • component0.exe (PID: 3316)
      • UnifiedStub-installer.exe (PID: 1944)
      • utweb.exe (PID: 7196)
      • rsWSC.exe (PID: 5700)
      • rsWSC.exe (PID: 320)
      • rsEngineSvc.exe (PID: 1928)
      • rsEngineSvc.exe (PID: 6424)
      • rsHelper.exe (PID: 1280)
      • rsEDRSvc.exe (PID: 6444)
      • rsEDRSvc.exe (PID: 7064)
      • rsAppUI.exe (PID: 1048)
      • rsVPNSvc.exe (PID: 8904)
      • rsVPNSvc.exe (PID: 8976)
      • rsAppUI.exe (PID: 9132)
      • rsDNSSvc.exe (PID: 8424)
      • rsDNSSvc.exe (PID: 8620)
      • rsAppUI.exe (PID: 8772)
      • rsAppUI.exe (PID: 3244)
      • rsAppUI.exe (PID: 9600)

    • Checks proxy server information

      • utweb_installer.tmp (PID: 7912)
      • utweb_installer.exe (PID: 7900)
      • component0.exe (PID: 3316)
      • UnifiedStub-installer.exe (PID: 1944)
      • utweb.exe (PID: 7196)
      • rsWSC.exe (PID: 5700)
      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8772)

    • Creates files or folders in the user directory

      • utweb_installer.exe (PID: 7900)
      • utweb.exe (PID: 7196)
      • helper.exe (PID: 7024)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 5700)
      • rsEngineSvc.exe (PID: 6424)
      • rsAppUI.exe (PID: 1048)
      • rsAppUI.exe (PID: 2132)
      • rsVPNSvc.exe (PID: 8976)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8544)
      • rsDNSSvc.exe (PID: 8620)
      • rsAppUI.exe (PID: 8772)
      • rsAppUI.exe (PID: 3244)
      • rsAppUI.exe (PID: 6340)

    • Creates a software uninstall entry

      • utweb_installer.exe (PID: 7900)

    • Disables trace logs

      • component0.exe (PID: 3316)
      • UnifiedStub-installer.exe (PID: 1944)
      • rsEngineSvc.exe (PID: 6424)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNSvc.exe (PID: 8976)
      • rsDNSSvc.exe (PID: 8620)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 5700)
      • rsEngineSvc.exe (PID: 1928)
      • rsEDRSvc.exe (PID: 6444)
      • rsEngineSvc.exe (PID: 6424)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNSvc.exe (PID: 8976)
      • rsVPNSvc.exe (PID: 8904)
      • rsDNSResolver.exe (PID: 8052)
      • rsDNSResolver.exe (PID: 8812)
      • rsDNSSvc.exe (PID: 8424)
      • rsDNSSvc.exe (PID: 8620)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 1944)
      • rsWSC.exe (PID: 320)
      • rsEngineSvc.exe (PID: 6424)
      • rsHelper.exe (PID: 1280)
      • rsEDRSvc.exe (PID: 7064)

    • Reads the time zone

      • runonce.exe (PID: 3896)
      • rsEngineSvc.exe (PID: 6424)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNSvc.exe (PID: 8976)
      • runonce.exe (PID: 6340)
      • rsDNSSvc.exe (PID: 8620)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 3896)
      • runonce.exe (PID: 6340)

    • Reads product name

      • rsEDRSvc.exe (PID: 7064)
      • rsAppUI.exe (PID: 1048)
      • rsEngineSvc.exe (PID: 6424)
      • rsAppUI.exe (PID: 9132)
      • rsAppUI.exe (PID: 8772)

    • Reads CPU info

      • rsEngineSvc.exe (PID: 6424)
      • rsEDRSvc.exe (PID: 7064)
      • rsVPNSvc.exe (PID: 8976)
      • rsDNSSvc.exe (PID: 8620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.torrent | Torrent (trackerless) (57.6)
.torrent | Torrent (42.3)

EXIF

Torrent

Announce: http://88.206.0.174:9000/announce
Creator: qBittorrent v4.4.5
CreateDate: 2022:09:08 06:04:25+00:00
Length: 57488750550
Name: Global Scenery.zip
PieceLength: 4194304
Pieces: (Binary data 274140 bytes, use -b option to extract)
Source: http://88.206.0.174:9000/announce
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
332
Monitored processes
186
Malicious processes
14
Suspicious processes
7

Behavior graph

Click at the process to see the details
start openwith.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs utweb_installer.exe utweb_installer.tmp no specs utweb_installer.exe utweb_installer.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs utweb_installer.exe component0.exe 4rqgbryj.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs msedge.exe no specs msedge.exe no specs utweb.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs helper.exe utweb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe THREAT rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs THREAT rsenginesvc.exe msedge.exe no specs msedge.exe no specs THREAT rshelper.exe no specs msedge.exe no specs rsedrsvc.exe no specs THREAT rsedrsvc.exe epp.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rslitmus.a.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs rsvpnclientsvc.exe no specs conhost.exe no specs rsvpnclientsvc.exe no specs rsvpnsvc.exe no specs rsvpnsvc.exe vpn.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs rsappui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs utweb.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs msedge.exe no specs rsdnsclientsvc.exe no specs conhost.exe no specs rsdnsclientsvc.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs rsdnssvc.exe no specs msedge.exe no specs rsdnssvc.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs msedge.exe no specs dns.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs utweb.exe no specs msedge.exe no specs rsappui.exe no specs utweb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rsappui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"C:\Program Files\ReasonLabs\EPP\rsWSC.exe
services.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
rsWSC
Version:
6.0.3.0
Modules
Images
c:\program files\reasonlabs\epp\rswsc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
400"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7552 --field-trial-handle=2324,i,310261798105034904,15586369750183793814,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
568"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-windowC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1048"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-runC:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exeEPP.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
MEDIUM
Description:
ReasonLabs Application
Version:
1.4.2
Modules
Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1104"C:\Users\admin\AppData\Local\Temp\4rqgbryj.exe" /silentC:\Users\admin\AppData\Local\Temp\4rqgbryj.exe
component0.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
HIGH
Description:
ReasonLabs-setup-wizard.exe
Exit code:
0
Version:
6.0.6
Modules
Images
c:\users\admin\appdata\local\temp\4rqgbryj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1280"c:\program files\reasonlabs\epp\rsHelper.exe"C:\Program Files\ReasonLabs\EPP\rsHelper.exe
rsEngineSvc.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
MEDIUM
Description:
rsHelper
Version:
3.2.0.0
Modules
Images
c:\program files\reasonlabs\epp\rshelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1608"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5196 --field-trial-handle=2324,i,310261798105034904,15586369750183793814,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7764 --field-trial-handle=2324,i,310261798105034904,15586369750183793814,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1920"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7620 --field-trial-handle=2324,i,310261798105034904,15586369750183793814,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
148 225
Read events
147 311
Write events
705
Delete events
209

Modification events

(PID) Process:(6780) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-205
Value:
Word
(PID) Process:(6780) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@wmploc.dll,-102
Value:
Windows Media Player
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7068) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
Executable files
923
Suspicious files
1 403
Text files
363
Unknown types
44

Dropped files

PID
Process
Filename
Type
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11f4ae.TMP
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF11f4bd.TMP
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11f4bd.TMP
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11f4ec.TMP
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF11f50b.TMP
MD5:
SHA256:
7068msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
137
TCP/UDP connections
940
DNS requests
447
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5888
msedge.exe
GET
304
184.24.77.69:80
http://apps.identrust.com/roots/dstrootcax3.p7c
unknown
malicious
5888
msedge.exe
GET
304
69.192.161.44:80
http://x1.i.lencr.org/
unknown
whitelisted
5888
msedge.exe
GET
304
69.192.161.44:80
http://r3.i.lencr.org/
unknown
whitelisted
608
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7804
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7068
msedge.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7068
msedge.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7068
msedge.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA74MnP04YNx7ulsojvPs3Y%3D
unknown
whitelisted
7892
svchost.exe
HEAD
200
23.48.23.162:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/84b6cf48-0afe-4ab7-b9e3-6ef9c6b7edd4?P1=1724632571&P2=404&P3=2&P4=k%2bOZTdZsGE3kycV5616NP2g5Jx%2f3rxqghh4oL72EwjYBxBNQ3rqxNOT9IbqvgianUcJldgGdyNuV0ukbJm2%2f%2bA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3180
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5500
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3180
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7068
msedge.exe
239.255.255.250:1900
whitelisted
5888
msedge.exe
204.79.197.203:443
ntp.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5888
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5888
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5888
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
ntp.msn.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
bzib.nelreports.net
  • 23.48.23.46
  • 23.48.23.51
  • 23.50.131.21
  • 23.50.131.30
  • 23.48.23.26
whitelisted
img-s-msn-com.akamaized.net
  • 2.21.20.134
  • 2.21.20.153
whitelisted
sb.scorecardresearch.com
  • 18.244.18.38
  • 18.244.18.122
  • 18.244.18.27
  • 18.244.18.32
shared

Threats

PID
Process
Class
Message
5888
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
5888
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
5888
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
5888
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
7900
utweb_installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
7900
utweb_installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
7196
utweb.exe
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT ping request
7196
utweb.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
7196
utweb.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5888
msedge.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (polyfill .io) in DNS Lookup
Process
Message
rsEngineSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
rsEDRSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
rsVPNSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\VPN\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
X-Plane 12 Global Scenery.torrent