File name:

2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop

Full analysis: https://app.any.run/tasks/3c9a6833-8313-47ce-b430-096f08e47cd3
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 12:00:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

1E8D6E8A045CF9EBF49714857A80F537

SHA1:

DB2ADAA9D12FCBD65009424A6439E1442AC58D4C

SHA256:

D6D279A904ED8C06719126DE603A9741227EFA008172E25CC22AA1B0A8FF701B

SSDEEP:

49152:XFxUhnky7BM7W88988Nt5KBBDhzsf9hS1Sx5F2b35tZOP3E/4VhH3QLBf8XcHZ8N:3Uhnkyi8qDpsVhS1Sx5HPznWnNHqj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 768)

  • SUSPICIOUS

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)

    • Reads security settings of Internet Explorer

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 768)
      • uwlnlp.exe (PID: 2148)
      • 508693.exe (PID: 2804)
      • 421993.exe (PID: 1200)
      • 491044.exe (PID: 1816)
      • 089758.exe (PID: 7208)
      • 004437.exe (PID: 7560)
      • 405141.exe (PID: 7732)
      • 751304.exe (PID: 7812)
      • 038111.exe (PID: 7896)
      • 929540.exe (PID: 7976)
      • 319264.exe (PID: 8048)
      • 490505.exe (PID: 8128)
      • 891120.exe (PID: 2212)
      • 947302.exe (PID: 7684)
      • 966400.exe (PID: 3392)
      • 988765.exe (PID: 7856)
      • 276563.exe (PID: 7920)
      • 511646.exe (PID: 7992)
      • 015274.exe (PID: 8076)
      • 906425.exe (PID: 2292)
      • 352488.exe (PID: 8176)
      • 519495.exe (PID: 2212)
      • 420726.exe (PID: 7508)
      • 907734.exe (PID: 7284)
      • 930800.exe (PID: 7004)
      • 952168.exe (PID: 7172)
      • 055319.exe (PID: 7912)
      • 188675.exe (PID: 7980)
      • 089125.exe (PID: 1872)
      • 256913.exe (PID: 5712)
      • 602894.exe (PID: 4552)
      • 747076.exe (PID: 4808)
      • 085733.exe (PID: 7876)
      • 210913.exe (PID: 7776)
      • 957500.exe (PID: 8016)
      • 961758.exe (PID: 8048)
      • 225081.exe (PID: 1056)
      • 932274.exe (PID: 7512)
      • 197838.exe (PID: 8168)
      • 476871.exe (PID: 2604)
      • 220998.exe (PID: 7508)
      • 615304.exe (PID: 6212)
      • 831385.exe (PID: 7944)
      • 369322.exe (PID: 4664)
      • 973039.exe (PID: 7248)
      • 883543.exe (PID: 5456)
      • 360331.exe (PID: 1812)
      • 307862.exe (PID: 8068)
      • 496511.exe (PID: 7928)
      • 520120.exe (PID: 2128)

    • Starts itself from another location

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 768)

    • Application launched itself

      • uwlnlp.exe (PID: 2148)
      • 508693.exe (PID: 2804)
      • 421993.exe (PID: 1200)
      • 089758.exe (PID: 7208)
      • 491044.exe (PID: 1816)
      • 004437.exe (PID: 7560)
      • 405141.exe (PID: 7732)
      • 751304.exe (PID: 7812)
      • 038111.exe (PID: 7896)
      • 929540.exe (PID: 7976)
      • 319264.exe (PID: 8048)
      • 490505.exe (PID: 8128)
      • 891120.exe (PID: 2212)
      • 947302.exe (PID: 7684)
      • 966400.exe (PID: 3392)
      • 988765.exe (PID: 7856)
      • 511646.exe (PID: 7992)
      • 015274.exe (PID: 8076)
      • 906425.exe (PID: 2292)
      • 276563.exe (PID: 7920)
      • 519495.exe (PID: 2212)
      • 420726.exe (PID: 7508)
      • 352488.exe (PID: 8176)
      • 907734.exe (PID: 7284)
      • 930800.exe (PID: 7004)
      • 952168.exe (PID: 7172)
      • 188675.exe (PID: 7980)
      • 089125.exe (PID: 1872)
      • 055319.exe (PID: 7912)
      • 256913.exe (PID: 5712)
      • 602894.exe (PID: 4552)
      • 747076.exe (PID: 4808)
      • 210913.exe (PID: 7776)
      • 973039.exe (PID: 7248)
      • 085733.exe (PID: 7876)
      • 957500.exe (PID: 8016)
      • 197838.exe (PID: 8168)
      • 932274.exe (PID: 7512)
      • 961758.exe (PID: 8048)
      • 220998.exe (PID: 7508)
      • 476871.exe (PID: 2604)
      • 369322.exe (PID: 4664)
      • 615304.exe (PID: 6212)
      • 831385.exe (PID: 7944)
      • 883543.exe (PID: 5456)
      • 307862.exe (PID: 8068)
      • 360331.exe (PID: 1812)
      • 496511.exe (PID: 7928)
      • 225081.exe (PID: 1056)

    • Executable content was dropped or overwritten

      • uwlnlp.exe (PID: 768)
      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 3624)

    • Executing commands from a ".bat" file

      • explorer.exe (PID: 2140)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 768)

    • Searches for installed software

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 2140)

  • INFO

    • The sample compiled with chinese language support

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 768)

    • Reads the computer name

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 2148)
      • uwlnlp.exe (PID: 768)
      • 508693.exe (PID: 2804)
      • 421993.exe (PID: 1200)
      • 491044.exe (PID: 1816)
      • 089758.exe (PID: 7208)
      • 004437.exe (PID: 7560)
      • 405141.exe (PID: 7732)
      • 751304.exe (PID: 7812)
      • identity_helper.exe (PID: 7404)
      • 038111.exe (PID: 7896)
      • 929540.exe (PID: 7976)
      • 319264.exe (PID: 8048)
      • 490505.exe (PID: 8128)
      • 891120.exe (PID: 2212)
      • 947302.exe (PID: 7684)
      • 966400.exe (PID: 3392)
      • 988765.exe (PID: 7856)
      • 276563.exe (PID: 7920)
      • 511646.exe (PID: 7992)
      • 015274.exe (PID: 8076)
      • 906425.exe (PID: 2292)
      • 352488.exe (PID: 8176)
      • 519495.exe (PID: 2212)
      • 420726.exe (PID: 7508)
      • 907734.exe (PID: 7284)
      • 930800.exe (PID: 7004)
      • 055319.exe (PID: 7912)
      • 952168.exe (PID: 7172)
      • 188675.exe (PID: 7980)
      • 089125.exe (PID: 1872)
      • 256913.exe (PID: 5712)
      • 747076.exe (PID: 4808)
      • 973039.exe (PID: 7248)
      • 602894.exe (PID: 4552)
      • 085733.exe (PID: 7876)
      • 210913.exe (PID: 7776)
      • 957500.exe (PID: 8016)
      • 961758.exe (PID: 8048)
      • 225081.exe (PID: 1056)
      • 197838.exe (PID: 8168)
      • 220998.exe (PID: 7508)
      • 476871.exe (PID: 2604)
      • 932274.exe (PID: 7512)
      • 615304.exe (PID: 6212)
      • 831385.exe (PID: 7944)
      • 369322.exe (PID: 4664)
      • 883543.exe (PID: 5456)
      • 360331.exe (PID: 1812)
      • 307862.exe (PID: 8068)
      • 496511.exe (PID: 7928)
      • 520120.exe (PID: 2128)

    • Create files in a temporary directory

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 768)

    • Process checks computer location settings

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 2148)
      • uwlnlp.exe (PID: 768)
      • 508693.exe (PID: 2804)
      • 421993.exe (PID: 1200)
      • 491044.exe (PID: 1816)
      • 089758.exe (PID: 7208)
      • 004437.exe (PID: 7560)
      • 405141.exe (PID: 7732)
      • 751304.exe (PID: 7812)
      • 319264.exe (PID: 8048)
      • 038111.exe (PID: 7896)
      • 929540.exe (PID: 7976)
      • 490505.exe (PID: 8128)
      • 891120.exe (PID: 2212)
      • 947302.exe (PID: 7684)
      • 276563.exe (PID: 7920)
      • 988765.exe (PID: 7856)
      • 511646.exe (PID: 7992)
      • 906425.exe (PID: 2292)
      • 352488.exe (PID: 8176)
      • 519495.exe (PID: 2212)
      • 420726.exe (PID: 7508)
      • 907734.exe (PID: 7284)
      • 930800.exe (PID: 7004)
      • 952168.exe (PID: 7172)
      • 188675.exe (PID: 7980)
      • 089125.exe (PID: 1872)
      • 055319.exe (PID: 7912)
      • 602894.exe (PID: 4552)
      • 747076.exe (PID: 4808)
      • 966400.exe (PID: 3392)
      • 256913.exe (PID: 5712)
      • 973039.exe (PID: 7248)
      • 085733.exe (PID: 7876)
      • 210913.exe (PID: 7776)
      • 225081.exe (PID: 1056)
      • 015274.exe (PID: 8076)
      • 957500.exe (PID: 8016)
      • 932274.exe (PID: 7512)
      • 961758.exe (PID: 8048)
      • 197838.exe (PID: 8168)
      • 220998.exe (PID: 7508)
      • 476871.exe (PID: 2604)
      • 615304.exe (PID: 6212)
      • 831385.exe (PID: 7944)
      • 369322.exe (PID: 4664)
      • 883543.exe (PID: 5456)
      • 360331.exe (PID: 1812)
      • 307862.exe (PID: 8068)
      • 496511.exe (PID: 7928)
      • 520120.exe (PID: 2128)

    • Checks proxy server information

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • slui.exe (PID: 7416)

    • Checks supported languages

      • 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe (PID: 5020)
      • uwlnlp.exe (PID: 2148)
      • uwlnlp.exe (PID: 768)
      • 508693.exe (PID: 2804)
      • 508693.exe (PID: 1180)
      • 421993.exe (PID: 1200)
      • 421993.exe (PID: 5708)
      • 491044.exe (PID: 1816)
      • 491044.exe (PID: 4808)
      • 089758.exe (PID: 7208)
      • 089758.exe (PID: 7252)
      • identity_helper.exe (PID: 7404)
      • 405141.exe (PID: 7732)
      • 004437.exe (PID: 7660)
      • 405141.exe (PID: 7776)
      • 004437.exe (PID: 7560)
      • 751304.exe (PID: 7856)
      • 751304.exe (PID: 7812)
      • 038111.exe (PID: 7896)
      • 038111.exe (PID: 7940)
      • 929540.exe (PID: 8020)
      • 319264.exe (PID: 8048)
      • 929540.exe (PID: 7976)
      • 490505.exe (PID: 8128)
      • 319264.exe (PID: 8096)
      • 490505.exe (PID: 8172)
      • 891120.exe (PID: 2212)
      • 891120.exe (PID: 3964)
      • 947302.exe (PID: 7684)
      • 947302.exe (PID: 7772)
      • 966400.exe (PID: 3392)
      • 988765.exe (PID: 7856)
      • 988765.exe (PID: 4512)
      • 276563.exe (PID: 7960)
      • 276563.exe (PID: 7920)
      • 511646.exe (PID: 7992)
      • 966400.exe (PID: 7848)
      • 511646.exe (PID: 8032)
      • 906425.exe (PID: 2292)
      • 015274.exe (PID: 8116)
      • 906425.exe (PID: 8164)
      • 352488.exe (PID: 8176)
      • 015274.exe (PID: 8076)
      • 352488.exe (PID: 3944)
      • 519495.exe (PID: 3396)
      • 519495.exe (PID: 2212)
      • 907734.exe (PID: 7284)
      • 420726.exe (PID: 7508)
      • 420726.exe (PID: 6876)
      • 907734.exe (PID: 2232)
      • 930800.exe (PID: 7004)
      • 055319.exe (PID: 7912)
      • 952168.exe (PID: 7172)
      • 930800.exe (PID: 7856)
      • 952168.exe (PID: 3736)
      • 055319.exe (PID: 8004)
      • 188675.exe (PID: 7980)
      • 188675.exe (PID: 8020)
      • 089125.exe (PID: 1872)
      • 089125.exe (PID: 8072)
      • 256913.exe (PID: 5712)
      • 602894.exe (PID: 4552)
      • 256913.exe (PID: 8136)
      • 602894.exe (PID: 2808)
      • 747076.exe (PID: 4808)
      • 747076.exe (PID: 3900)
      • 973039.exe (PID: 7248)
      • 973039.exe (PID: 1808)
      • 085733.exe (PID: 7876)
      • 085733.exe (PID: 7332)
      • 210913.exe (PID: 7776)
      • 210913.exe (PID: 1508)
      • 225081.exe (PID: 1056)
      • 225081.exe (PID: 7956)
      • 957500.exe (PID: 8016)
      • 957500.exe (PID: 8060)
      • 961758.exe (PID: 3760)
      • 197838.exe (PID: 8168)
      • 197838.exe (PID: 5352)
      • 932274.exe (PID: 7512)
      • 220998.exe (PID: 5500)
      • 476871.exe (PID: 2604)
      • 476871.exe (PID: 7852)
      • 369322.exe (PID: 4664)
      • 932274.exe (PID: 7504)
      • 220998.exe (PID: 7508)
      • 369322.exe (PID: 6268)
      • 615304.exe (PID: 6212)
      • 615304.exe (PID: 5060)
      • 831385.exe (PID: 7944)
      • 883543.exe (PID: 5456)
      • 883543.exe (PID: 8004)
      • 360331.exe (PID: 1812)
      • 831385.exe (PID: 1056)
      • 496511.exe (PID: 1068)
      • 307862.exe (PID: 8068)
      • 307862.exe (PID: 8060)
      • 360331.exe (PID: 5692)
      • 496511.exe (PID: 7928)
      • 520120.exe (PID: 3760)
      • 520120.exe (PID: 2128)
      • 961758.exe (PID: 8048)

    • Reads the machine GUID from the registry

      • uwlnlp.exe (PID: 768)

    • Creates files or folders in the user directory

      • uwlnlp.exe (PID: 768)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 2140)

    • Application launched itself

      • msedge.exe (PID: 4920)
      • msedge.exe (PID: 5744)

    • Reads Environment values

      • identity_helper.exe (PID: 7404)

    • Manual execution by a user

      • msedge.exe (PID: 8164)
      • msedge.exe (PID: 6536)
      • msedge.exe (PID: 7908)

    • Reads the software policy settings

      • slui.exe (PID: 7416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:17 08:34:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 368640
InitializedDataSize: 1241088
UninitializedDataSize: -
EntryPoint: 0x4fd00
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.6.1.1
ProductVersionNumber: 5.6.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 5.6.1.1
FileDescription:
ProductName:
ProductVersion: 5.6.1.1
CompanyName:
LegalCopyright:
Comments: 本程序使用易语言编写(http://www.dywt.com.cn)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
278
Monitored processes
143
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKMOON 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exe uwlnlp.exe no specs #BLACKMOON uwlnlp.exe 421993.exe no specs 421993.exe no specs 508693.exe no specs 508693.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe explorer.exe no specs cmd.exe no specs conhost.exe no specs 491044.exe no specs 491044.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 089758.exe no specs 089758.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs 004437.exe no specs 004437.exe no specs msedge.exe no specs 405141.exe no specs 405141.exe no specs 751304.exe no specs 751304.exe no specs 038111.exe no specs 038111.exe no specs 929540.exe no specs 929540.exe no specs 319264.exe no specs 319264.exe no specs 490505.exe no specs 490505.exe no specs 891120.exe no specs 891120.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 947302.exe no specs 947302.exe no specs 966400.exe no specs 966400.exe no specs 988765.exe no specs 988765.exe no specs slui.exe 276563.exe no specs 276563.exe no specs 511646.exe no specs 511646.exe no specs 015274.exe no specs 015274.exe no specs 906425.exe no specs 906425.exe no specs 352488.exe no specs 352488.exe no specs 519495.exe no specs 519495.exe no specs msedge.exe no specs 420726.exe no specs 420726.exe no specs msedge.exe no specs 907734.exe no specs 907734.exe no specs msedge.exe no specs 930800.exe no specs 930800.exe no specs 952168.exe no specs 952168.exe no specs 055319.exe no specs 055319.exe no specs msedge.exe no specs 188675.exe no specs 188675.exe no specs 089125.exe no specs 089125.exe no specs 256913.exe no specs 256913.exe no specs msedge.exe no specs msedge.exe no specs 602894.exe no specs 602894.exe no specs msedge.exe no specs 747076.exe no specs 747076.exe no specs msedge.exe no specs 973039.exe no specs 973039.exe no specs 085733.exe no specs 085733.exe no specs 210913.exe no specs 210913.exe no specs msedge.exe no specs msedge.exe no specs 225081.exe no specs 225081.exe no specs msedge.exe no specs 957500.exe no specs 957500.exe no specs 961758.exe no specs 961758.exe no specs 197838.exe no specs 197838.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 932274.exe no specs 932274.exe no specs 220998.exe no specs 220998.exe no specs 476871.exe no specs 476871.exe no specs msedge.exe no specs 369322.exe no specs 369322.exe no specs 615304.exe no specs 615304.exe no specs 831385.exe no specs 831385.exe no specs 883543.exe no specs 883543.exe no specs 360331.exe no specs 360331.exe no specs msedge.exe no specs 496511.exe no specs 496511.exe no specs 307862.exe no specs 307862.exe no specs 520120.exe no specs 520120.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
768"C:\Users\admin\AppData\Local\Temp\uwlnlp.exe" /jsjczxztcqC:\Users\admin\AppData\Local\Temp\uwlnlp.exe
uwlnlp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\uwlnlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1056"C:\Users\admin\AppData\Roaming\Download\225081.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\225081.exeuwlnlp.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\225081.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1056"C:\Users\admin\AppData\Roaming\Download\831385.exe" C:\Users\admin\AppData\Roaming\Download\831385.exe831385.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\831385.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1068"C:\Users\admin\AppData\Roaming\Download\496511.exe" C:\Users\admin\AppData\Roaming\Download\496511.exe496511.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\496511.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1180"C:\Users\admin\AppData\Roaming\Download\508693.exe" C:\Users\admin\AppData\Roaming\Download\508693.exe508693.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\508693.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1200"C:\Users\admin\AppData\Roaming\Download\421993.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\421993.exeuwlnlp.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\421993.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1336"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6504,i,3401465152871654539,2753629506440356647,262144 --variations-seed-version --mojo-platform-channel-handle=5832 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1508"C:\Users\admin\AppData\Roaming\Download\210913.exe" C:\Users\admin\AppData\Roaming\Download\210913.exe210913.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\210913.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1808"C:\Users\admin\AppData\Roaming\Download\973039.exe" C:\Users\admin\AppData\Roaming\Download\973039.exe973039.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\973039.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1812"C:\Users\admin\AppData\Roaming\Download\360331.exe" /ShorttailedrestartC:\Users\admin\AppData\Roaming\Download\360331.exeuwlnlp.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
5.6.1.1
Modules
Images
c:\users\admin\appdata\roaming\download\360331.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
27 164
Read events
27 116
Write events
48
Delete events
0

Modification events

(PID) Process:(5020) 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(5744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4920) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
1
(PID) Process:(4920) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5020) 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5020) 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5020) 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5020) 2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4920) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
A17F3E02AA962F00
Executable files
62
Suspicious files
245
Text files
85
Unknown types
0

Dropped files

PID
Process
Filename
Type
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF178b96.TMP
MD5:
SHA256:
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF178ba6.TMP
MD5:
SHA256:
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF178bb5.TMP
MD5:
SHA256:
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
50202025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop.exeC:\Users\admin\AppData\Local\Temp\uwlnlp.exeexecutable
MD5:1E8D6E8A045CF9EBF49714857A80F537
SHA256:D6D279A904ED8C06719126DE603A9741227EFA008172E25CC22AA1B0A8FF701B
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF178bc5.TMP
MD5:
SHA256:
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4920msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
768uwlnlp.exeC:\Users\admin\AppData\Local\Temp\4219939723\....\TemporaryFileexecutable
MD5:1E8D6E8A045CF9EBF49714857A80F537
SHA256:D6D279A904ED8C06719126DE603A9741227EFA008172E25CC22AA1B0A8FF701B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
457
TCP/UDP connections
296
DNS requests
287
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5552
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
180.163.237.212:443
https://hao.360.cn/?src=lm&ls=n6abbbb598c
unknown
5552
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
715 b
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750507231&lafgdate=0
unknown
binary
1.47 Kb
whitelisted
GET
200
92.123.104.53:443
https://copilot.microsoft.com/c/api/user/eligibility
unknown
binary
25 b
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750507231&lafgdate=0
unknown
binary
13.3 Kb
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750507231&lafgdate=0
unknown
binary
43.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5552
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5552
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5552
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
dt.hebchengjiu.com
unknown
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
hao.360.cn
  • 101.198.2.134
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
copilot.microsoft.com
  • 2.16.241.224
  • 2.16.241.220
whitelisted
hao.360.com
  • 180.163.237.212
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_1e8d6e8a045cf9ebf49714857a80f537_elex_icedid_stop