File name:

tf.exe

Full analysis: https://app.any.run/tasks/46705aa8-046c-4f69-831f-db8e7e022026
Verdict: Malicious activity
Analysis date: April 19, 2025, 01:14:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 4 sections
MD5:

1453B76FAECEDA78A408287799CA5C40

SHA1:

A8E815A62389523216639CDE22148F919E782727

SHA256:

D28CD43A927F71D058B752703416C42B4C7C5A1D35E6BF99D9A53EACE2D1563C

SSDEEP:

768:LB1TVTxyxEMlpSQq3aoUWckZYM6RE+HRmzPm9Fz:dlVgxDlguxWckuRE+6Kz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • sfc.exe (PID: 6940)

  • SUSPICIOUS

    • Executes application which crashes

      • CHXSmartScreen.exe (PID: 5428)
      • AddSuggestedFoldersToLibraryDialog.exe (PID: 4608)
      • SecHealthUI.exe (PID: 5376)
      • NarratorQuickStart.exe (PID: 5188)
      • OOBENetworkCaptivePortal.exe (PID: 4040)
      • Microsoft.AAD.BrokerPlugin.exe (PID: 1128)

    • Executable content was dropped or overwritten

      • RTLCPL.EXE (PID: 6872)
      • OneDriveSetup.exe (PID: 5244)

    • There is functionality for taking screenshot (YARA)

      • RTBK.EXE (PID: 2516)

    • Uses ICACLS.EXE to modify access control lists

      • tf.exe (PID: 2320)

    • Starts another process probably with elevated privileges via RUNAS.EXE

      • runas.exe (PID: 2896)

    • Uses NSLOOKUP.EXE to check DNS info

      • tf.exe (PID: 2320)

    • Reads security settings of Internet Explorer

      • CasPol.exe (PID: 1128)
      • ComSvcConfig.exe (PID: 7812)

    • Reads the date of Windows installation

      • dw20.exe (PID: 5984)

    • Starts POWERSHELL.EXE for commands execution

      • tf.exe (PID: 2320)

    • Creates file in the systems drive root

      • RTLCPL.EXE (PID: 6872)

    • Get information on the list of running processes

      • tf.exe (PID: 2320)

    • Application launched itself

      • OneDriveSetup.exe (PID: 3796)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 5212)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 4884)

    • The process creates files with name similar to system file names

      • OneDriveSetup.exe (PID: 5244)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5212)

    • Uses SYSTEMINFO.EXE to read the environment

      • stordiag.exe (PID: 3992)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 4884)

    • Process copies executable file

      • tf.exe (PID: 2320)

    • Reads the history of recent RDP connections

      • mstsc.exe (PID: 8060)
      • mstsc.exe (PID: 7624)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 5244)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 5124)
      • slui.exe (PID: 5260)
      • powershell.exe (PID: 1748)
      • dw20.exe (PID: 5984)
      • OneDriveSetup.exe (PID: 3796)
      • OneDriveSetup.exe (PID: 5244)
      • stordiag.exe (PID: 3992)
      • ComSvcConfig.exe (PID: 7812)

    • Reads the computer name

      • tf.exe (PID: 2320)
      • FlashUtil32_32_0_0_465_Plugin.exe (PID: 2244)
      • CasPol.exe (PID: 1128)
      • FlashUtil32_32_0_0_465_pepper.exe (PID: 680)
      • aspnet_state.exe (PID: 1184)
      • aspnet_regsql.exe (PID: 7136)
      • TrustedInstaller.exe (PID: 5188)
      • dw20.exe (PID: 5984)
      • WsatConfig.exe (PID: 3800)
      • MSBuild.exe (PID: 6516)
      • AddInProcess32.exe (PID: 720)
      • RTBK.EXE (PID: 2516)
      • RTLCPL.EXE (PID: 6872)
      • RegSvcs.exe (PID: 4164)
      • logtransport2.exe (PID: 1812)
      • BitLockerToGo.exe (PID: 6640)
      • PSEXESVC.exe (PID: 6744)
      • acrobroker.exe (PID: 7584)
      • MSBuild.exe (PID: 7636)
      • WsatConfig.exe (PID: 1128)
      • AddInUtil.exe (PID: 7228)
      • aspnet_regsql.exe (PID: 7792)
      • ComSvcConfig.exe (PID: 7812)

    • Checks supported languages

      • tf.exe (PID: 2320)
      • CHXSmartScreen.exe (PID: 5428)
      • RTLCPL.EXE (PID: 6872)
      • RTBK.EXE (PID: 2516)
      • AddInProcess.exe (PID: 5452)
      • ilasm.exe (PID: 3124)
      • tar.exe (PID: 6980)
      • CasPol.exe (PID: 1128)
      • AddSuggestedFoldersToLibraryDialog.exe (PID: 4608)
      • IEExec.exe (PID: 2420)
      • dw20.exe (PID: 5984)
      • FlashUtil32_32_0_0_465_pepper.exe (PID: 680)
      • csc.exe (PID: 7052)
      • aspnet_state.exe (PID: 1184)
      • aspnet_regsql.exe (PID: 7136)
      • TrustedInstaller.exe (PID: 5188)
      • SecHealthUI.exe (PID: 5376)
      • PresentationHost.exe (PID: 4884)
      • CasPol.exe (PID: 2776)
      • WsatConfig.exe (PID: 3800)
      • aspnet_compiler.exe (PID: 1128)
      • MSBuild.exe (PID: 6516)
      • AddInProcess32.exe (PID: 720)
      • NarratorQuickStart.exe (PID: 5188)
      • aspnet_regbrowsers.exe (PID: 2384)
      • CPLUtl64.exe (PID: 4164)
      • vbc.exe (PID: 6372)
      • csc.exe (PID: 2776)
      • UndockedDevKit.exe (PID: 2560)
      • dw20.exe (PID: 1040)
      • RegSvcs.exe (PID: 4164)
      • BitLockerToGo.exe (PID: 6640)
      • logtransport2.exe (PID: 1812)
      • OOBENetworkCaptivePortal.exe (PID: 4040)
      • FlashUtil32_32_0_0_465_Plugin.exe (PID: 2244)
      • RegSvcs.exe (PID: 2568)
      • Microsoft.AAD.BrokerPlugin.exe (PID: 1128)
      • PSEXESVC.exe (PID: 6744)
      • acrobroker.exe (PID: 7584)
      • MSBuild.exe (PID: 7636)
      • ComSvcConfig.exe (PID: 7812)
      • WsatConfig.exe (PID: 1128)
      • AddInUtil.exe (PID: 7228)
      • aspnet_regsql.exe (PID: 7792)
      • AddInUtil.exe (PID: 8168)

    • Checks proxy server information

      • slui.exe (PID: 5260)
      • dw20.exe (PID: 5984)
      • ComSvcConfig.exe (PID: 7812)

    • Create files in a temporary directory

      • RTLCPL.EXE (PID: 6872)
      • powershell.exe (PID: 1748)
      • OneDriveSetup.exe (PID: 3796)
      • OneDriveSetup.exe (PID: 5244)
      • stordiag.exe (PID: 3992)

    • The sample compiled with english language support

      • RTLCPL.EXE (PID: 6872)
      • OneDriveSetup.exe (PID: 5244)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4336)
      • WerFault.exe (PID: 6268)
      • WerFault.exe (PID: 6576)
      • WerFault.exe (PID: 3804)
      • dw20.exe (PID: 5984)
      • WerFault.exe (PID: 3016)
      • RMActivate.exe (PID: 4652)
      • OneDriveSetup.exe (PID: 3796)
      • OneDriveSetup.exe (PID: 5244)
      • WerFault.exe (PID: 2340)
      • ComSvcConfig.exe (PID: 7812)

    • Process checks whether UAC notifications are on

      • FlashUtil32_32_0_0_465_Plugin.exe (PID: 2244)
      • FlashUtil32_32_0_0_465_pepper.exe (PID: 680)

    • Compiled with Borland Delphi (YARA)

      • RTLCPL.EXE (PID: 6872)

    • Disables trace logs

      • cmstp.exe (PID: 5308)
      • cmmon32.exe (PID: 5116)
      • rasphone.exe (PID: 132)

    • Reads the machine GUID from the registry

      • dw20.exe (PID: 5984)
      • aspnet_regsql.exe (PID: 7136)
      • ComSvcConfig.exe (PID: 7812)
      • aspnet_regsql.exe (PID: 7792)

    • Creates files in the program directory

      • dw20.exe (PID: 5984)
      • wermgr.exe (PID: 7552)

    • Process checks computer location settings

      • dw20.exe (PID: 5984)

    • Reads product name

      • dw20.exe (PID: 5984)

    • Reads Environment values

      • dw20.exe (PID: 5984)

    • Reads CPU info

      • dw20.exe (PID: 5984)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 1748)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1748)
      • certreq.exe (PID: 3976)
      • OneDriveSetup.exe (PID: 3796)
      • OneDriveSetup.exe (PID: 5244)
      • mshta.exe (PID: 5212)
      • mstsc.exe (PID: 8060)
      • stordiag.exe (PID: 3992)
      • mstsc.exe (PID: 7624)

    • Reads the time zone

      • runonce.exe (PID: 6372)

    • Checks transactions between databases Windows and Oracle

      • ComSvcConfig.exe (PID: 7812)

    • The sample compiled with chinese language support

      • OneDriveSetup.exe (PID: 5244)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • stordiag.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:19 01:12:53+00:00
ImageFileCharacteristics: Executable, Bytes reversed lo, 32-bit
PEType: PE32
LinkerVersion: 2.18
CodeSize: 28672
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x1898
OSVersion: 1.11
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
434
Monitored processes
283
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start tf.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe filecoauth.exe no specs slui.exe chxsmartscreen.exe regedit.exe no specs rtlcpl.exe werfault.exe no specs rtbk.exe no specs cplutl64.exe no specs shrpubw.exe no specs ftp.exe no specs vbc.exe no specs werfaultsecure.exe no specs flashutil32_32_0_0_465_plugin.exe no specs ilasm.exe no specs cmdkey.exe no specs comp.exe no specs logman.exe no specs winrshost.exe no specs cmstp.exe no specs conhost.exe no specs addinprocess.exe no specs cacls.exe no specs imjpuexc.exe no specs fontdrvhost.exe no specs systempropertiesadvanced.exe no specs runas.exe no specs magnify.exe no specs oposhost.exe no specs charmap.exe no specs tar.exe no specs openfiles.exe no specs exch_acrobat.exe no specs nslookup.exe csc.exe no specs caspol.exe no specs flashutil32_32_0_0_465_pepper.exe no specs printui.exe no specs esentutl.exe no specs settingsynchost.exe no specs searchprotocolhost.exe no specs addsuggestedfolderstolibrarydialog.exe tapiunattend.exe no specs imewdbld.exe no specs werfault.exe no specs msfeedssync.exe no specs autoconv.exe no specs ieexec.exe no specs dw20.exe aspnet_state.exe no specs powershell.exe no specs autoconv.exe no specs infdefaultinstall.exe no specs relog.exe no specs dllhst3g.exe no specs aspnet_regsql.exe no specs mspaint.exe no specs odbcad32.exe no specs rrinstaller.exe no specs trustedinstaller.exe no specs sechealthui.exe presentationhost.exe no specs eventcreate.exe no specs gamebarpresencewriter.exe no specs mrinfo.exe no specs certreq.exe no specs wsatconfig.exe no specs werfault.exe no specs caspol.exe no specs secinit.exe no specs aspnet_compiler.exe no specs smsvchost.exe no specs logagent.exe no specs hh.exe no specs msbuild.exe no specs srdelayed.exe no specs choice.exe no specs ndadmin.exe no specs sfc.exe no specs narratorquickstart.exe convert.exe no specs aspnet_regbrowsers.exe no specs addinprocess32.exe no specs compact.exe no specs esentutl.exe no specs werfault.exe no specs certutil.exe no specs oobenetworkcaptiveportal.exe rmactivate.exe no specs cmmon32.exe no specs camerasettingsuihost.exe no specs passwordonwakesettingflyout.exe no specs werfault.exe no specs wmiprvse.exe no specs easeofaccessdialog.exe no specs csc.exe no specs icsunattend.exe no specs imecfmui.exe no specs undockeddevkit.exe no specs onedrivesetup.exe no specs wlanext.exe no specs dw20.exe no specs speechmodeldownload.exe no specs runonce.exe no specs bitlockertogo.exe no specs regsvcs.exe no specs logtransport2.exe no specs poqexec.exe no specs fltmc.exe no specs regsvcs.exe no specs sethc.exe no specs tasklist.exe no specs rasphone.exe no specs reg.exe no specs onedrivesetup.exe imtclnwz.exe no specs mshta.exe no specs gpresult.exe no specs stordiag.exe no specs isoburn.exe no specs regedit.exe no specs microsoft.aad.brokerplugin.exe packagedcwalauncher.exe no specs psexesvc.exe no specs werfault.exe no specs fondue.exe no specs flashplayerupdateservice.exe no specs colorcpl.exe no specs fc.exe no specs systeminfo.exe no specs xcopy.exe no specs gpscript.exe no specs forfiles.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wsatconfig.exe no specs ieunatt.exe no specs dllhost.exe no specs imjpdct.exe no specs provlaunch.exe no specs ping.exe no specs addinutil.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs tiworker.exe no specs cmd.exe no specs imtclnwz.exe no specs inputswitchtoasthandler.exe no specs tstheme.exe no specs wermgr.exe no specs acrobroker.exe no specs netbtugc.exe no specs cmd.exe no specs mstsc.exe no specs msbuild.exe no specs cmd.exe no specs fc.exe no specs hdwwiz.exe no specs devicepairingwizard.exe no specs cloudnotifications.exe no specs rundll32.exe no specs aspnet_regsql.exe no specs arp.exe no specs comsvcconfig.exe iscsicli.exe no specs cmd.exe no specs subst.exe no specs cmd.exe no specs print.exe no specs wmiadap.exe no specs cmd.exe no specs mstsc.exe no specs cmd.exe no specs systray.exe no specs compact.exe no specs addinutil.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs fltmc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs fltmc.exe no specs cmd.exe no specs fltmc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132.\System32\secinit.exeC:\Windows\SysWOW64\secinit.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Security Init
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\secinit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
132.\SysWOW64\rasphone.exeC:\Windows\SysWOW64\rasphone.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Access Phonebook
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rasphone.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
540/c echo "Vss"C:\Windows\SysWOW64\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
616.\regedit.exeC:\Windows\SysWOW64\regedit.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
616.\System32\xcopy.exeC:\Windows\SysWOW64\xcopy.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
632.\SysWOW64\PackagedCWALauncher.exeC:\Windows\SysWOW64\PackagedCWALauncher.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Packaged CWA Launcher
Exit code:
2147942487
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\packagedcwalauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
660.\System32\isoburn.exeC:\Windows\SysWOW64\isoburn.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Disc Image Burning Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\isoburn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
664.\System32\WerFaultSecure.exeC:\Windows\SysWOW64\WerFaultSecure.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Fault Reporting
Exit code:
1
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfaultsecure.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\dbghelp.dll
672.\System32\SearchProtocolHost.exeC:\Windows\SysWOW64\SearchProtocolHost.exetf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
680.\System32\Macromed\Flash\FlashUtil32_32_0_0_465_pepper.exeC:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_32_0_0_465_pepper.exetf.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 32.0 r0
Exit code:
1039
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashutil32_32_0_0_465_pepper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
55 694
Read events
55 535
Write events
157
Delete events
2

Modification events

(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:guidDXsoundW
Value:
{9A7A2494-D921-4B91-8899-38D44CD79857}
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:APO
Value:
01
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:VoiceCancel
Value:
00
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:KeyValue
Value:
0
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:EQEnable
Value:
0
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:EQGain0
Value:
3997797
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:EQGain1
Value:
3801155
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:EQGain2
Value:
5439488
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:EQGain3
Value:
7536761
(PID) Process:(2516) RTBK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Realtek\RTBK
Operation:writeName:EQGain4
Value:
6619252
Executable files
178
Suspicious files
35
Text files
109
Unknown types
0

Dropped files

PID
Process
Filename
Type
4336WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CHXSmartScreen.e_c5bda8729b4e8fabe3e5eb81f2d3493db3d727e_8ca06682_7d1e5853-92d6-42fc-9afa-84f790a9c617\Report.wer
MD5:
SHA256:
5280FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-19.0114.5280.1.odlbinary
MD5:F7259D1FF2E1652A71BAE54D0505815B
SHA256:973F824FC254DDB6DEC3CD87E1FD6D4791ED86BE45006F89389C367C3CAECE5F
4336WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER99A.tmp.xmlxml
MD5:CE96577D5F8883B2BF8DC8DDD7A7FBF1
SHA256:017A6B612780627656FEB9E01B5A345FD45E0BF12059763F9531F0D1C7566B8B
6872RTLCPL.EXEC:\Users\admin\AppData\Local\Temp\Lang\Japanese.bintext
MD5:FD5BD8E4A72DB1BD80F2C75D45AC28A3
SHA256:1F083E06DFAF8ED238C4C1809BD66E6C39C0D410465B6780E14E335133AAEA2F
4336WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER97A.tmp.WERInternalMetadata.xmlbinary
MD5:8030C74D71F08458EFBFE20EC5F5175E
SHA256:41BED4A9112957EF6B9A238CE0868077049758310CC3E6CFC1BADD58F78A9E45
4336WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\CHXSmartScreen.exe.5428.dmpbinary
MD5:B358920DE7AB511BA0AE3B1DC296C6C1
SHA256:C9A8793318A9A00BA82CFB83C795ADF56010BC57F15BDBEF012ACDB494AD0EBA
6872RTLCPL.EXEC:\Users\admin\AppData\Local\Temp\Lang\TradChin.bintext
MD5:A878AFFA93DD2E66EE05003CEDF384CF
SHA256:F13FDF7E5F2C0A644F14FD2D7816082D582D3244954FDFA9416B9E51F0BA22C7
6872RTLCPL.EXEC:\Users\admin\AppData\Local\Temp\Lang\Korean.bintext
MD5:60B93C3EA239D60F719921663FB72CBF
SHA256:8654073B06C7CA62408EA06C99B34E7EA81A8C06F217F52AAAF396A41038418B
5280FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-19.0114.5280.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6872RTLCPL.EXEC:\Users\admin\AppData\Local\Temp\Lang\Danish.bintext
MD5:3F71814FC561461F999DC589F6B18574
SHA256:2B7B5DE4D68C60889F57F79B1ABD9AE7508BA5F76C5CC88FE697536A95E826CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
976
RUXIMICS.exe
GET
200
2.21.245.142:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.21.245.142:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.21.245.142:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5112
SIHClient.exe
GET
200
23.222.86.92:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5112
SIHClient.exe
GET
200
23.222.86.92:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5984
dw20.exe
GET
200
2.21.245.142:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5984
dw20.exe
GET
200
23.222.86.92:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7812
ComSvcConfig.exe
GET
200
23.222.86.92:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
976
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
976
RUXIMICS.exe
2.21.245.142:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.21.245.142:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.21.245.142:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.21.245.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 23.222.86.92
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tf.exe