Malware analysis https://skmedix.pl/downloads Malicious activity

Add for printing

URL:	https://skmedix.pl/downloads
Full analysis:	https://app.any.run/tasks/cd48b700-d262-4301-8292-e5417730fd6b
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	March 16, 2026, 00:12:25
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-doc inno installer delphi adware innosetup loader antivm emmenhtal
Indicators:
MD5:	272470F27C5BC4225712934F7F7AA481
SHA1:	C2B09067D09BD6B44D5294AF20BCD5C12628ABE9
SHA256:	D0817A9C06810DD16C0AEB25387AEDAED6D5D430D9ABCA28CE85973D95772635
SSDEEP:	3:N8Djlen:2/le

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- INNOSETUP has been detected (SURICATA)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
- EMMENHTAL has been detected (YARA)
  - javaw.exe (PID: 9084)
SUSPICIOUS
- Executable content was dropped or overwritten
  - SKlauncher-3.2.18_Setup.exe (PID: 7020)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 6316)
  - javaw.exe (PID: 1672)
- Drops 7-zip archiver for unpacking
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
- Reads the Windows owner or organization settings
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
- The process drops C-runtime libraries
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
- There is functionality for VM detection VMWare (YARA)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 9084)
- The process creates files with name similar to system file names
  - javaw.exe (PID: 8348)
- There is functionality for VM detection antiVM strings (YARA)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 9084)
- There is functionality for VM detection VirtualBox (YARA)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
- Application launched itself
  - javaw.exe (PID: 8348)
- Access to an unwanted program domain was detected
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 6444)
  - SKlauncher-3.2.18_Setup.exe (PID: 7020)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 2488)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 6316)
  - GameBar.exe (PID: 6224)
  - javaw.exe (PID: 1672)
- Reads the computer name
  - identity_helper.exe (PID: 6444)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 6316)
  - GameBar.exe (PID: 6224)
  - javaw.exe (PID: 1672)
- Application launched itself
  - msedge.exe (PID: 1068)
  - msedge.exe (PID: 8596)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 1068)
- Launching a file from the Downloads directory
  - msedge.exe (PID: 1068)
- Reads Environment values
  - identity_helper.exe (PID: 6444)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
- Create files in a temporary directory
  - SKlauncher-3.2.18_Setup.exe (PID: 7020)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 2488)
  - javaw.exe (PID: 6316)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 1672)
- The sample compiled with english language support
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 1672)
  - javaw.exe (PID: 6316)
- Compiled with Borland Delphi (YARA)
  - SKlauncher-3.2.18_Setup.exe (PID: 7020)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
- Detects InnoSetup installer (YARA)
  - SKlauncher-3.2.18_Setup.exe (PID: 7020)
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
- Creates files or folders in the user directory
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 6316)
  - javaw.exe (PID: 1672)
- Creates a software uninstall entry
  - SKlauncher-3.2.18_Setup.tmp (PID: 7956)
- Reads CPU info
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 2488)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 6316)
  - javaw.exe (PID: 1672)
  - javaw.exe (PID: 9084)
- Process checks computer location settings
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 1672)
  - javaw.exe (PID: 6316)
- There is functionality for taking screenshot (YARA)
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 9084)
- Reads the machine GUID from the registry
  - javaw.exe (PID: 8348)
  - javaw.exe (PID: 4552)
  - javaw.exe (PID: 9084)
  - javaw.exe (PID: 1672)
  - javaw.exe (PID: 6316)
- Search a value from a registry key
  - reg.exe (PID: 7296)
- Reads security settings of Internet Explorer
  - javaw.exe (PID: 9084)
  - GameBar.exe (PID: 6224)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

217

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

416

"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer

C:\Windows\System32\GameBarPresenceWriter.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Gamebar Presence Writer

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\gamebarpresencewriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

1068

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-features=HttpsUpgrades,HttpsFirstModeV2,HttpsOnlyMode,HttpsFirstBalancedMode --no-first-run --no-default-browser-check https://skmedix.pl/downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1432

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7744,i,8388871769564600201,12553727094113729036,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1672

C:\Users\admin\AppData\Roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe -Xdiag -XX:+UnlockExperimentalVMOptions -XX:+UseG1GC -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=16M -Xmx3069m -javaagent:C:\Users\admin\AppData\Roaming\.minecraft\sklauncher-fx.jar -DMcEmu=net.minecraft.client.main.Main -Dlog4j2.formatMsgNoLookups=true -Djava.rmi.server.useCodebaseOnly=true -Dcom.sun.jndi.rmi.object.trustURLCodebase=false -Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false -Dsklauncher.discordrpc=true -Dsklauncher.gametype=forge -Dsklauncher.minecraft=1.20.1 -Dsklauncher.dns=true -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Djava.library.path=C:\Users\admin\AppData\Roaming\.minecraft\versions\1.20.1-forge-47.4.10\1.20.1-forge-47.4.10-natives-2251174184707 -Djna.tmpdir=C:\Users\admin\AppData\Roaming\.minecraft\versions\1.20.1-forge-47.4.10\1.20.1-forge-47.4.10-natives-2251174184707 -Dorg.lwjgl.system.SharedLibraryExtractPath=C:\Users\admin\AppData\Roaming\.minecraft\versions\1.20.1-forge-47.4.10\1.20.1-forge-47.4.10-natives-2251174184707 -Dio.netty.native.workdir=C:\Users\admin\AppData\Roaming\.minecraft\versions\1.20.1-forge-47.4.10\1.20.1-forge-47.4.10-natives-2251174184707 -Dminecraft.launcher.brand=java-minecraft-launcher -Dminecraft.launcher.version=1.6.93 -cp C:\Users\admin\AppData\Roaming\.minecraft\libraries\cpw\mods\securejarhandler\2.1.10\securejarhandler-2.1.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm\9.8\asm-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-commons\9.8\asm-commons-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-tree\9.8\asm-tree-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-util\9.8\asm-util-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-analysis\9.8\asm-analysis-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\accesstransformers\8.0.4\accesstransformers-8.0.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\antlr\antlr4-runtime\4.9.1\antlr4-runtime-4.9.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\eventbus\6.0.5\eventbus-6.0.5.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\forgespi\7.0.1\forgespi-7.0.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\coremods\5.2.4\coremods-5.2.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\cpw\mods\modlauncher\10.0.9\modlauncher-10.0.9.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\unsafe\0.2.0\unsafe-0.2.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\mergetool\1.1.5\mergetool-1.1.5-api.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\electronwill\night-config\core\3.6.4\core-3.6.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\electronwill\night-config\toml\3.6.4\toml-3.6.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\maven\maven-artifact\3.8.5\maven-artifact-3.8.5.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\jodah\typetools\0.6.3\typetools-0.6.3.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecrell\terminalconsoleappender\1.2.0\terminalconsoleappender-1.2.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\jline\jline-reader\3.12.1\jline-reader-3.12.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\jline\jline-terminal\3.12.1\jline-terminal-3.12.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\spongepowered\mixin\0.8.5\mixin-0.8.5.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\openjdk\nashorn\nashorn-core\15.4\nashorn-core-15.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\JarJarSelector\0.3.19\JarJarSelector-0.3.19.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\JarJarMetadata\0.3.19\JarJarMetadata-0.3.19.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\cpw\mods\bootstraplauncher\1.1.2\bootstraplauncher-1.1.2.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\JarJarFileSystems\0.3.19\JarJarFileSystems-0.3.19.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\fmlloader\1.20.1-47.4.10\fmlloader-1.20.1-47.4.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\minecraftforge\fmlearlydisplay\1.20.1-47.4.10\fmlearlydisplay-1.20.1-47.4.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\github\oshi\oshi-core\6.2.2\oshi-core-6.2.2.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\google\code\gson\gson\2.10\gson-2.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\google\guava\failureaccess\1.0.1\failureaccess-1.0.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\google\guava\guava\31.1-jre\guava-31.1-jre.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\ibm\icu\icu4j\71.1\icu4j-71.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\authlib\4.0.43\authlib-4.0.43.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\blocklist\1.0.10\blocklist-1.0.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\brigadier\1.1.8\brigadier-1.1.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\datafixerupper\6.0.8\datafixerupper-6.0.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\logging\1.1.1\logging-1.1.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\patchy\2.2.10\patchy-2.2.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\com\mojang\text2speech\1.17.9\text2speech-1.17.9.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-buffer\4.1.82.Final\netty-buffer-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-codec\4.1.82.Final\netty-codec-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-common\4.1.82.Final\netty-common-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-handler\4.1.82.Final\netty-handler-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-resolver\4.1.82.Final\netty-resolver-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-transport-classes-epoll\4.1.82.Final\netty-transport-classes-epoll-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-transport-native-unix-common\4.1.82.Final\netty-transport-native-unix-common-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-transport\4.1.82.Final\netty-transport-4.1.82.Final.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\it\unimi\dsi\fastutil\8.5.9\fastutil-8.5.9.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\java\dev\jna\jna-platform\5.12.1\jna-platform-5.12.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\java\dev\jna\jna\5.12.1\jna-5.12.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\net\sf\jopt-simple\jopt-simple\5.0.4\jopt-simple-5.0.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-compress\1.21\commons-compress-1.21.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-lang3\3.12.0\commons-lang3-3.12.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpclient\4.5.13\httpclient-4.5.13.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpcore\4.4.15\httpcore-4.4.15.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-api\2.19.0\log4j-api-2.19.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-core\2.19.0\log4j-core-2.19.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-slf4j2-impl\2.19.0\log4j-slf4j2-impl-2.19.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\joml\joml\1.10.5\joml-1.10.5.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.1\lwjgl-glfw-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.1\lwjgl-glfw-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.1\lwjgl-glfw-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.1\lwjgl-glfw-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.1\lwjgl-jemalloc-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.1\lwjgl-jemalloc-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.1\lwjgl-jemalloc-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.1\lwjgl-jemalloc-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.1\lwjgl-openal-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.1\lwjgl-openal-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.1\lwjgl-openal-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.1\lwjgl-openal-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.1\lwjgl-opengl-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.1\lwjgl-opengl-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.1\lwjgl-opengl-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.1\lwjgl-opengl-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.1\lwjgl-stb-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.1\lwjgl-stb-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.1\lwjgl-stb-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.1\lwjgl-stb-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.1\lwjgl-tinyfd-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.1\lwjgl-tinyfd-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.1\lwjgl-tinyfd-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.1\lwjgl-tinyfd-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.1\lwjgl-3.3.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.1\lwjgl-3.3.1-natives-windows.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.1\lwjgl-3.3.1-natives-windows-arm64.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.1\lwjgl-3.3.1-natives-windows-x86.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries\org\slf4j\slf4j-api\2.0.1\slf4j-api-2.0.1.jar;C:\Users\admin\AppData\Roaming\.minecraft\versions\1.20.1-forge-47.4.10\1.20.1-forge-47.4.10.jar -Djava.net.preferIPv6Addresses=system -DignoreList=bootstraplauncher,securejarhandler,asm-commons,asm-util,asm-analysis,asm-tree,asm,JarJarFileSystems,client-extra,fmlcore,javafmllanguage,lowcodelanguage,mclanguage,forge-,1.20.1-forge-47.4.10.jar -DmergeModules=jna-5.10.0.jar,jna-platform-5.10.0.jar -DlibraryDirectory=C:\Users\admin\AppData\Roaming\.minecraft\libraries -p C:\Users\admin\AppData\Roaming\.minecraft\libraries/cpw/mods/bootstraplauncher/1.1.2/bootstraplauncher-1.1.2.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/cpw/mods/securejarhandler/2.1.10/securejarhandler-2.1.10.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/org/ow2/asm/asm-commons/9.8/asm-commons-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/org/ow2/asm/asm-util/9.8/asm-util-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/org/ow2/asm/asm-analysis/9.8/asm-analysis-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/org/ow2/asm/asm-tree/9.8/asm-tree-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/org/ow2/asm/asm/9.8/asm-9.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\libraries/net/minecraftforge/JarJarFileSystems/0.3.19/JarJarFileSystems-0.3.19.jar --add-modules ALL-MODULE-PATH --add-opens java.base/java.util.jar=cpw.mods.securejarhandler --add-opens java.base/java.lang.invoke=cpw.mods.securejarhandler --add-exports java.base/sun.security.util=cpw.mods.securejarhandler --add-exports jdk.naming.dns/com.sun.jndi.dns=java.naming cpw.mods.bootstraplauncher.BootstrapLauncher --username AnyRUn --version 1.20.1-forge-47.4.10 --gameDir C:\Users\admin\AppData\Roaming\.minecraft --assetsDir C:\Users\admin\AppData\Roaming\.minecraft\assets --assetIndex 5 --uuid 163d60bfd0533d89891890c63f7d3985 --accessToken 16138cb2de3842549f3bb3d1e2d68724 --clientId 0 --xuid 0 --userType msa --versionType release --width 854 --height 480 --launchTarget forgeclient --fml.forgeVersion 47.4.10 --fml.mcVersion 1.20.1 --fml.forgeGroup net.minecraftforge --fml.mcpVersion 20230612.114412

C:\Users\admin\AppData\Roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe

javaw.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

OpenJDK Platform binary

Version:

17.0.15.0

Modules

Images
c:\users\admin\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\jli.dll
c:\windows\system32\user32.dll
c:\users\admin\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\vcruntime140.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2096

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5908,i,8388871769564600201,12553727094113729036,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=8080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2368

"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer

C:\Windows\System32\GameBarPresenceWriter.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Gamebar Presence Writer

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\gamebarpresencewriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

2376

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3644,i,8388871769564600201,12553727094113729036,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2424

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2488

C:\Users\admin\AppData\Roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe -XshowSettings:properties -version

C:\Users\admin\AppData\Roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe

—

javaw.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

OpenJDK Platform binary

Exit code:

Version:

17.0.15.0

Modules

Images
c:\users\admin\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\vcruntime140.dll
c:\users\admin\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\jli.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\win32u.dll

2548

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5768,i,8388871769564600201,12553727094113729036,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

7 617

Read events

7 571

Write events

Delete events

Modification events


(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.6.1
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Users\admin\AppData\Roaming\sklauncher
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Roaming\sklauncher\
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: SKlauncher
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	Inno Setup: Language
Value: default
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	DisplayName
Value: SKlauncher 3.2.18
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Roaming\sklauncher\icon.ico
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	UninstallString
Value: "C:\Users\admin\AppData\Roaming\sklauncher\unins000.exe"
(PID) Process:	(7956) SKlauncher-3.2.18_Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A151427E-7A46-4D6D-8534-C4C04BADA77A}_is1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Roaming\sklauncher\unins000.exe" /SILENT

Add for printing

Executable files

471

Suspicious files

3 988

Text files

1 139

Unknown types

Dropped files

PID	Process	Filename		Type
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e5486.TMP		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e5496.TMP		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e5496.TMP		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e5496.TMP		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e54c5.TMP		—
		MD5:—	SHA256:—
1068	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

618

TCP/UDP connections

807

DNS requests

214

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6912	msedge.exe	GET	200	150.171.28.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:BGq5TPPmgn6kGI7kaF7rOQKCuMl67s-8f2bQ-Rwk070&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/downloads	unknown	html	364 Kb	unknown
6912	msedge.exe	GET	200	150.171.28.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	text	446 b	whitelisted
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/__h82AlnkH6D92__.js	unknown	text	18.2 Kb	unknown
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/_nuxt/default.DgFqDw6P.css	unknown	—	3.81 Kb	unknown
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/_nuxt/BCRoACo3.js	unknown	—	30.5 Kb	unknown
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/_nuxt/BfV-H63y.js	unknown	—	488 Kb	unknown
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/_nuxt/CuFpDbiZ.js	unknown	—	1.98 Kb	unknown
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/_nuxt/DA_d6lDh.js	unknown	—	591 b	unknown
6912	msedge.exe	GET	200	188.114.96.3:443	https://skmedix.pl/_nuxt/D6JpL7Rv.js	unknown	text	8.65 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7236	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
8736	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6912	msedge.exe	52.123.243.87:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6912	msedge.exe	150.171.28.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6912	msedge.exe	150.171.28.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6912	msedge.exe	188.114.96.3:443	skmedix.pl	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
self.events.data.microsoft.com	13.69.116.104 13.89.178.27	whitelisted
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	172.217.16.206	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
edge.microsoft.com	150.171.28.11 150.171.27.11	whitelisted
config.edge.skype.com	52.123.243.87 52.123.243.221 52.123.224.71 52.123.243.78 52.123.243.79 52.123.243.83 52.123.243.219 52.123.243.223	whitelisted
skmedix.pl	188.114.96.3 188.114.97.3	unknown
api.edgeoffer.microsoft.com	13.107.246.44 13.107.213.44	whitelisted
copilot.microsoft.com	104.18.22.222 104.18.23.222	whitelisted
www.bing.com	92.123.104.33 92.123.104.8 92.123.104.34 92.123.104.52 92.123.104.28 92.123.104.44 92.123.104.63 92.123.104.19 92.123.104.60 2.16.241.205 2.16.241.218 2.16.241.201 184.86.251.19 184.86.251.27 184.86.251.7 184.86.251.22	whitelisted

Threats

PID	Process	Class	Message
6912	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6912	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
7236	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
6912	msedge.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
2292	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7956	SKlauncher-3.2.18_Setup.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
7956	SKlauncher-3.2.18_Setup.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
7956	SKlauncher-3.2.18_Setup.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
7956	SKlauncher-3.2.18_Setup.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer

Add for printing

No debug info

General Info

https://skmedix.pl/downloads

272470F27C5BC4225712934F7F7AA481

C2B09067D09BD6B44D5294AF20BCD5C12628ABE9

D0817A9C06810DD16C0AEB25387AEDAED6D5D430D9ABCA28CE85973D95772635

3:N8Djlen:2/le

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

INNOSETUP has been detected (SURICATA)

EMMENHTAL has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Reads the Windows owner or organization settings

The process drops C-runtime libraries

There is functionality for VM detection VMWare (YARA)

The process creates files with name similar to system file names

There is functionality for VM detection antiVM strings (YARA)

There is functionality for VM detection VirtualBox (YARA)

Application launched itself

Access to an unwanted program domain was detected

INFO

Checks supported languages

Reads the computer name

Application launched itself

Executable content was dropped or overwritten

Launching a file from the Downloads directory

Reads Environment values

Create files in a temporary directory

The sample compiled with english language support

Compiled with Borland Delphi (YARA)

Detects InnoSetup installer (YARA)

Creates files or folders in the user directory

Creates a software uninstall entry

Reads CPU info

Process checks computer location settings

There is functionality for taking screenshot (YARA)

Reads the machine GUID from the registry

Search a value from a registry key

Reads security settings of Internet Explorer

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats