URL:

http://3.au.download.windowsupdate.com/d/msdownload/update/software/uprl/2025/02/windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe

Full analysis: https://app.any.run/tasks/db7f2ba2-f284-411e-b907-3c3dfc7fc5b2
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: February 12, 2025, 09:52:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
xor-url
generic
susp-powershell
dcrat
crypto-regex
cobaltstrike
ims-api
lumma
mimikatz
tools
atlantida
m0yv
masslogger
cve-2022-30190
exploit
pecompact
themida
xmrig
pyinstaller
upx
antivm
Indicators:
MD5:

C7F5926A2F277F0742CF94C6038BA91D

SHA1:

645F3E3F90604AB2659BAA4386986A4288C0D47B

SHA256:

D915AEEA9088D75E3E73356E6A8D1D6B36D3AD2A24C5C56FCE707C00106B896E

SSDEEP:

3:N1KZNLEWd9r4ExKVKSLJkACANKXyK9bHPwIT06tn0QVIl:CLDd9AVx/K9b1I6tn0Q6l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • MRT.exe (PID: 7248)

    • XORed URL has been found (YARA)

      • MRT.exe (PID: 7248)

    • COBALTSTRIKE has been detected (YARA)

      • MRT.exe (PID: 7248)

    • DCRAT has been detected (YARA)

      • MRT.exe (PID: 7248)

    • LUMMA has been detected (YARA)

      • MRT.exe (PID: 7248)

    • ATLANTIDA has been detected (YARA)

      • MRT.exe (PID: 7248)

    • MIMIKATZ has been detected (YARA)

      • MRT.exe (PID: 7248)

    • CVE-2022-30190 detected

      • MRT.exe (PID: 7248)

    • M0YV has been detected (YARA)

      • MRT.exe (PID: 7248)

    • XMRIG has been detected (YARA)

      • MRT.exe (PID: 7248)

    • MASSLOGGER has been detected (YARA)

      • MRT.exe (PID: 7248)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MRT.exe (PID: 7248)

    • The process verifies whether the antivirus software is installed

      • MRT.exe (PID: 7248)

    • Found regular expressions for crypto-addresses (YARA)

      • MRT.exe (PID: 7248)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • MRT.exe (PID: 7248)

    • There is functionality for taking screenshot (YARA)

      • MRT.exe (PID: 7248)

    • There is functionality for VM detection antiVM strings (YARA)

      • MRT.exe (PID: 7248)

  • INFO

    • The sample compiled with english language support

      • MRT.exe (PID: 7248)
      • msedge.exe (PID: 244)

    • Reads security settings of Internet Explorer

      • MRT.exe (PID: 7248)

    • Checks supported languages

      • windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe (PID: 8176)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6480)
      • msedge.exe (PID: 244)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • MRT.exe (PID: 7248)

    • Found Base64 encoded network access via PowerShell (YARA)

      • MRT.exe (PID: 7248)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • MRT.exe (PID: 7248)

    • Application launched itself

      • msedge.exe (PID: 6480)

    • Reads the software policy settings

      • MRT.exe (PID: 7248)

    • Found Base64 encoded file access via PowerShell (YARA)

      • MRT.exe (PID: 7248)

    • PECompact has been detected (YARA)

      • MRT.exe (PID: 7248)

    • PyInstaller has been detected (YARA)

      • MRT.exe (PID: 7248)

    • UPX packer has been detected

      • MRT.exe (PID: 7248)

    • Themida protector has been detected

      • MRT.exe (PID: 7248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7248) MRT.exe
Decrypted-URLs (1)http://khamenei.cogia.net/y.phpD
Decrypted-URLs (1)http://dawateislami.net/html/fonts/taskkill
Decrypted-URLs (2)http://creatonprojects.com/drv32.data
http://powermpeg.com/
Decrypted-URLs (1)http://mm.21380.com/t/sleepdown/updatew

ims-api

(PID) Process(7248) MRT.exe
Discord-Webhook-Tokens (1)1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF
Discord-Info-Links
1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF
Get Webhook Infohttps://discord.com/api/webhooks/1204220382094168145/anpobLsMQf9X7wjCwVR3wiFeqzMNRHXz07QubMDY6LjhZSG7apvQUUOf5T3_Z0iCvhxF
Discord-Webhook-Tokens (1)770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6
Discord-Info-Links
770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6
Get Webhook Infohttps://discord.com/api/webhooks/770716126988599316/o7gxyebupqzx7rqfud4ctopmq2ggicypomynpfvqsib9qyvw2bgz4mmt6c7jvgedo5y6
Discord-Webhook-Tokens (1)757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz
Discord-Info-Links
757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz
Get Webhook Infohttps://discord.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0caWiSJudDLY4XhpV64IEvFz
Telegram-Tokens (1)6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo
Telegram-Info-Links
6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo
Get info about bothttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getMe
Get incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getUpdates
Get webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6766432184:aah7svaewk_j9o2o2mibghbgw_g77gx8meo
End-Pointsendmessage
Args
Telegram-Tokens (1)6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI
Telegram-Info-Links
6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI
Get info about bothttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getMe
Get incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getUpdates
Get webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6115740549:AAGbdtUe6dYkRqVTUBXwsUf8JMRY8cAMiNI
End-PointsendMessage
Args
Discord-Webhook-Tokens (1)1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep
Discord-Info-Links
1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep
Get Webhook Infohttps://discord.com/api/webhooks/1109437421331943467/r3lngrry37ry5cone7dwkukqiz2nnr9ecz8et5wqcowerj32bqhbz9w3otdsefgqcwep
Telegram-Tokens (1)6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a
Telegram-Info-Links
6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a
Get info about bothttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getMe
Get incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getUpdates
Get webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6616481542:aafhufvwi5drycosjpc1fsfif_lbtu2pu7a
End-Pointsendmessage
Args
chat_id (1)6643273432
text (1)new-result=>new:bynbf:=${message}`,{method:"get"}).then(success=>{},error=>{alert('messagenotsent')console.log(error)})document.getelementbyid("password").value="";console.log("yesssss")
Telegram-Tokens (1)7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c
Telegram-Info-Links
7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c
Get info about bothttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getMe
Get incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getUpdates
Get webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7556593612:aafzgxqyc6jokyixx7z8pjv41kml1f3sa_c
End-Pointsendmessage
Args
Telegram-Tokens (1)6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu
Telegram-Info-Links
6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu
Get info about bothttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getMe
Get incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getUpdates
Get webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6989057172:aaflrv_iwsmb1-cc64puz7ki_jyka8br2fu
End-Pointsendmessage
Args
chat_id (1)6481270908
text (1)","get","open","send"]
Telegram-Tokens (1)7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade
Telegram-Info-Links
7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade
Get info about bothttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getMe
Get incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getUpdates
Get webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7265715971:aaemubcxbzbsrfahqpw65ub-4tgxiaaeade
End-Pointsendmessage
Args
chat_id (1)6481270908
text (1)","get","open","send"];
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
39
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe #XOR-URL mrt.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Users\admin\Downloads\windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe" C:\Users\admin\Downloads\windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Malicious Software Removal Tool (KB890830)
Exit code:
3221226540
Version:
5.132.25020.1001 (a0f0279591bfcc6f092f2314f04eeca6582b6c41)
Modules
Images
c:\users\admin\downloads\windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe
c:\windows\system32\ntdll.dll
244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6664 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7324 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6348 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3832"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1576 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6548 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5092"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7188 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5604"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5848 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5604"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4944 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5696"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7104 --field-trial-handle=2332,i,17230794935294062790,1832944974344392296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 385
Read events
9 373
Write events
11
Delete events
1

Modification events

(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6480) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
F3A93D30858C2F00
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(6480) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328464
Operation:writeName:WindowTabManagerFileMappingId
Value:
{6108175A-670F-4370-BECE-0F591E0D055F}
(PID) Process:(5604) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000075A6EEF2337DDB01
Executable files
14
Suspicious files
324
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135a58.TMP
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135a58.TMP
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135a68.TMP
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135a68.TMP
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135a68.TMP
MD5:
SHA256:
6480msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
56
DNS requests
59
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1739802949&P2=404&P3=2&P4=M99xKToJwZ5Ul%2fE9Pnzhx%2bMS%2fo1vzj89hzMvB29qnXs5D%2boeowMxAnubF13QltZel%2bDGP4AYXLBq3VXpZYM4EQ%3d%3d
unknown
whitelisted
7804
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739802949&P2=404&P3=2&P4=lnxZdvJUGI57D0lLxA3HbnNsqenjv7yNqLvbA0kaeRtOZh0q0y6D%2b%2fqOU%2b0H62kbBahouFg0wZYkSsn319f%2f2Q%3d%3d
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1739802949&P2=404&P3=2&P4=M99xKToJwZ5Ul%2fE9Pnzhx%2bMS%2fo1vzj89hzMvB29qnXs5D%2boeowMxAnubF13QltZel%2bDGP4AYXLBq3VXpZYM4EQ%3d%3d
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739802949&P2=404&P3=2&P4=lnxZdvJUGI57D0lLxA3HbnNsqenjv7yNqLvbA0kaeRtOZh0q0y6D%2b%2fqOU%2b0H62kbBahouFg0wZYkSsn319f%2f2Q%3d%3d
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739802949&P2=404&P3=2&P4=lnxZdvJUGI57D0lLxA3HbnNsqenjv7yNqLvbA0kaeRtOZh0q0y6D%2b%2fqOU%2b0H62kbBahouFg0wZYkSsn319f%2f2Q%3d%3d
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739802949&P2=404&P3=2&P4=lnxZdvJUGI57D0lLxA3HbnNsqenjv7yNqLvbA0kaeRtOZh0q0y6D%2b%2fqOU%2b0H62kbBahouFg0wZYkSsn319f%2f2Q%3d%3d
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739802949&P2=404&P3=2&P4=lnxZdvJUGI57D0lLxA3HbnNsqenjv7yNqLvbA0kaeRtOZh0q0y6D%2b%2fqOU%2b0H62kbBahouFg0wZYkSsn319f%2f2Q%3d%3d
unknown
whitelisted
7804
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1739802949&P2=404&P3=2&P4=lnxZdvJUGI57D0lLxA3HbnNsqenjv7yNqLvbA0kaeRtOZh0q0y6D%2b%2fqOU%2b0H62kbBahouFg0wZYkSsn319f%2f2Q%3d%3d
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
188
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.110.177:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.148
  • 23.48.23.153
  • 23.48.23.146
  • 23.48.23.150
  • 23.48.23.156
  • 23.48.23.160
  • 23.48.23.147
  • 23.48.23.161
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 23.219.150.101
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.bing.com
  • 2.16.110.177
  • 2.16.110.171
  • 2.16.110.144
  • 2.16.110.161
  • 2.16.110.162
  • 2.16.110.153
  • 2.16.110.160
  • 2.16.110.145
  • 2.16.110.168
  • 2.16.110.186
  • 2.16.110.193
  • 2.16.110.201
  • 2.16.110.187
  • 2.16.110.185
  • 2.16.110.200
  • 2.16.110.120
  • 2.16.110.192
  • 2.19.122.65
  • 2.19.122.67
  • 2.19.122.55
  • 2.19.122.52
  • 2.19.122.64
  • 2.19.122.47
  • 2.19.122.63
  • 2.19.122.56
  • 2.19.122.59
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.2
  • 20.190.159.129
  • 20.190.159.128
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.69
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
3.au.download.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://3.au.download.windowsupdate.com/d/msdownload/update/software/uprl/2025/02/windows-kb890830-x64-v5.132_99e2f6f80f1b15eaff192caff421e2c4c139796d.exe