URL:

https://www.cheatengine.org

Full analysis: https://app.any.run/tasks/b8d26b8e-feb1-4d99-bffd-0df5423e60f1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 01, 2024, 10:28:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
netreactor
Indicators:
MD5:

074644CB619C7D7A6FED51ED8397D8BF

SHA1:

4DE130ECAAB27FD31DBC63BCEF13528F24C9A7AE

SHA256:

E34D72163557CE3472691207E46D68592B98F1291022F22A84C0315CE8790CD6

SSDEEP:

3:N8DSLHC:2OLHC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CheatEngine75.tmp (PID: 3844)
      • CheatEngine75.exe (PID: 7400)
      • CheatEngine75.tmp (PID: 2436)
      • prod0.exe (PID: 3848)
      • UnifiedStub-installer.exe (PID: 6044)
      • 0j2phdx0.exe (PID: 5908)

    • Starts NET.EXE for service management

      • net.exe (PID: 3140)
      • net.exe (PID: 7888)
      • CheatEngine75.tmp (PID: 2436)

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 6044)
      • rsEngineSvc.exe (PID: 7212)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 7376)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cookie_exporter.exe (PID: 3700)
      • CheatEngine75.tmp (PID: 2532)
      • CheatEngine75.tmp (PID: 3844)
      • Cheat Engine.exe (PID: 7312)
      • prod0.exe (PID: 3848)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • Cheat Engine.exe (PID: 3068)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 3164)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsWSC.exe (PID: 7832)
      • rsEngineSvc.exe (PID: 8148)

    • Executable content was dropped or overwritten

      • CheatEngine75.exe (PID: 2872)
      • CheatEngine75.tmp (PID: 3844)
      • CheatEngine75.tmp (PID: 2436)
      • CheatEngine75.exe (PID: 7400)
      • CheatEngine75.exe (PID: 7776)
      • prod0.exe (PID: 3848)
      • UnifiedStub-installer.exe (PID: 6044)
      • 0j2phdx0.exe (PID: 5908)

    • Reads the date of Windows installation

      • CheatEngine75.tmp (PID: 2532)
      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • Cheat Engine.exe (PID: 7312)
      • Cheat Engine.exe (PID: 3068)

    • Reads the Windows owner or organization settings

      • CheatEngine75.tmp (PID: 3844)
      • CheatEngine75.tmp (PID: 2436)

    • Starts SC.EXE for service management

      • CheatEngine75.tmp (PID: 2436)

    • Uses ICACLS.EXE to modify access control lists

      • CheatEngine75.tmp (PID: 2436)

    • Process drops SQLite DLL files

      • CheatEngine75.tmp (PID: 2436)

    • Process drops legitimate windows executable

      • CheatEngine75.tmp (PID: 2436)
      • 0j2phdx0.exe (PID: 5908)
      • UnifiedStub-installer.exe (PID: 6044)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 6044)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 6044)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 7696)
      • rsWSC.exe (PID: 240)
      • rsClientSvc.exe (PID: 1812)
      • rsEngineSvc.exe (PID: 7212)

    • Detected use of alternative data streams (AltDS)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 3164)

    • Checks Windows Trust Settings

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsWSC.exe (PID: 7832)
      • rsWSC.exe (PID: 240)
      • rsEngineSvc.exe (PID: 8148)

    • The process creates files with name similar to system file names

      • UnifiedStub-installer.exe (PID: 6044)

    • There is functionality for communication over UDP network (YARA)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 3164)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 6044)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 6044)

    • Creates or modifies Windows services

      • rundll32.exe (PID: 7376)
      • UnifiedStub-installer.exe (PID: 6044)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 6044)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 6044)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 6044)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 6044)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 6044)
      • rsWSC.exe (PID: 7832)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 5760)
      • cookie_exporter.exe (PID: 3700)
      • CheatEngine75.exe (PID: 7776)
      • CheatEngine75.tmp (PID: 2532)
      • CheatEngine75.exe (PID: 2872)
      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • CheatEngine75.exe (PID: 7400)
      • CheatEngine75.tmp (PID: 2436)
      • _setup64.tmp (PID: 7128)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsSyncSvc.exe (PID: 2384)
      • rsSyncSvc.exe (PID: 7696)
      • Kernelmoduleunloader.exe (PID: 1044)
      • windowsrepair.exe (PID: 7256)
      • Cheat Engine.exe (PID: 7312)
      • 0j2phdx0.exe (PID: 5908)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 3164)
      • Cheat Engine.exe (PID: 3068)
      • rsWSC.exe (PID: 7832)
      • rsWSC.exe (PID: 240)
      • rsClientSvc.exe (PID: 2180)
      • rsClientSvc.exe (PID: 1812)
      • rsEngineSvc.exe (PID: 8148)
      • rsEngineSvc.exe (PID: 7212)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6328)

    • Reads Environment values

      • identity_helper.exe (PID: 5760)
      • prod0.exe (PID: 3848)
      • cookie_exporter.exe (PID: 3700)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsEngineSvc.exe (PID: 7212)

    • Reads the computer name

      • cookie_exporter.exe (PID: 3700)
      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • CheatEngine75.tmp (PID: 2436)
      • identity_helper.exe (PID: 5760)
      • CheatEngine75.tmp (PID: 2532)
      • rsSyncSvc.exe (PID: 2384)
      • Kernelmoduleunloader.exe (PID: 1044)
      • Cheat Engine.exe (PID: 7312)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsSyncSvc.exe (PID: 7696)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 3164)
      • Cheat Engine.exe (PID: 3068)
      • rsWSC.exe (PID: 240)
      • rsWSC.exe (PID: 7832)
      • rsClientSvc.exe (PID: 2180)
      • rsClientSvc.exe (PID: 1812)
      • rsEngineSvc.exe (PID: 8148)
      • rsEngineSvc.exe (PID: 7212)

    • Checks proxy server information

      • cookie_exporter.exe (PID: 3700)
      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • UnifiedStub-installer.exe (PID: 6044)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • rsWSC.exe (PID: 7832)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 6564)
      • msedge.exe (PID: 6328)

    • Create files in a temporary directory

      • CheatEngine75.exe (PID: 7776)
      • CheatEngine75.exe (PID: 2872)
      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • CheatEngine75.exe (PID: 7400)
      • CheatEngine75.tmp (PID: 2436)
      • 0j2phdx0.exe (PID: 5908)
      • UnifiedStub-installer.exe (PID: 6044)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 3164)

    • The process uses the downloaded file

      • msedge.exe (PID: 6328)
      • msedge.exe (PID: 5372)

    • Application launched itself

      • msedge.exe (PID: 6328)

    • Process checks computer location settings

      • CheatEngine75.tmp (PID: 2532)
      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • Cheat Engine.exe (PID: 7312)
      • Cheat Engine.exe (PID: 3068)

    • Reads the software policy settings

      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • UnifiedStub-installer.exe (PID: 6044)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • rsWSC.exe (PID: 7832)
      • rsEngineSvc.exe (PID: 7212)
      • rsWSC.exe (PID: 240)
      • rsEngineSvc.exe (PID: 8148)

    • Reads the machine GUID from the registry

      • CheatEngine75.tmp (PID: 3844)
      • prod0.exe (PID: 3848)
      • UnifiedStub-installer.exe (PID: 6044)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • rsWSC.exe (PID: 7832)
      • rsEngineSvc.exe (PID: 8148)
      • rsWSC.exe (PID: 240)
      • rsEngineSvc.exe (PID: 7212)

    • Disables trace logs

      • prod0.exe (PID: 3848)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsEngineSvc.exe (PID: 7212)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6328)
      • msedge.exe (PID: 6564)

    • Creates files in the program directory

      • CheatEngine75.tmp (PID: 2436)
      • UnifiedStub-installer.exe (PID: 6044)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • rsWSC.exe (PID: 7832)
      • rsEngineSvc.exe (PID: 8148)
      • rsEngineSvc.exe (PID: 7212)

    • Creates a software uninstall entry

      • CheatEngine75.tmp (PID: 2436)

    • Manual execution by a user

      • Cheat Engine.exe (PID: 7140)
      • Cheat Engine.exe (PID: 3068)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 6044)

    • Creates files or folders in the user directory

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 1216)
      • UnifiedStub-installer.exe (PID: 6044)
      • rsWSC.exe (PID: 7832)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 1172)

    • Reads the time zone

      • runonce.exe (PID: 1172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
245
Monitored processes
104
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cookie_exporter.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cheatengine75.exe cheatengine75.tmp no specs cheatengine75.exe cheatengine75.tmp msedge.exe no specs msedge.exe no specs prod0.exe cheatengine75.exe cheatengine75.tmp net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs 0j2phdx0.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs kernelmoduleunloader.exe msedge.exe no specs windowsrepair.exe no specs icacls.exe no specs conhost.exe no specs cheat engine.exe no specs cheatengine-x86_64-sse4-avx2.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cheat engine.exe no specs cheat engine.exe THREAT cheatengine-x86_64-sse4-avx2.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs rsenginesvc.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6292 --field-trial-handle=2252,i,18364999002119939462,7185598151694098578,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
240"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"C:\Program Files\ReasonLabs\EPP\rsWSC.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
rsWSC
Version:
6.0.3.0
Modules
Images
c:\program files\reasonlabs\epp\rswsc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
872\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewevtutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1504 --field-trial-handle=2252,i,18364999002119939462,7185598151694098578,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUPC:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
CheatEngine75.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\cheat engine 7.5\kernelmoduleunloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1044"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)C:\Windows\System32\icacls.exeCheatEngine75.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1172"C:\WINDOWS\system32\runonce.exe" -rC:\Windows\System32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1216"C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe" C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
Cheat Engine.exe
User:
admin
Company:
Cheat Engine
Integrity Level:
HIGH
Description:
Cheat Engine
Exit code:
0
Version:
7.5.0.7431
Modules
Images
c:\program files\cheat engine 7.5\cheatengine-x86_64-sse4-avx2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exersClientSvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
61 782
Read events
61 317
Write events
402
Delete events
63

Modification events

(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31122429
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
626
Suspicious files
318
Text files
525
Unknown types
105

Dropped files

PID
Process
Filename
Type
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe5649.TMP
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe5649.TMP
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe5649.TMP
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe5649.TMP
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe5659.TMP
MD5:
SHA256:
6328msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
196
DNS requests
204
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6564
msedge.exe
GET
304
2.23.197.184:80
http://x1.i.lencr.org/
unknown
whitelisted
6564
msedge.exe
GET
304
2.23.197.184:80
http://r3.i.lencr.org/
unknown
whitelisted
6564
msedge.exe
GET
304
2.16.241.15:80
http://apps.identrust.com/roots/dstrootcax3.p7c
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1928
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1928
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7356
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7408
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6328
msedge.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
6328
msedge.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEQC9Ijailxc%2F98MiRQMEFZFQ
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5240
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1860
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6328
msedge.exe
239.255.255.250:1900
whitelisted
6564
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6564
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6564
msedge.exe
104.20.94.94:443
www.cheatengine.org
CLOUDFLARENET
unknown
6564
msedge.exe
13.107.246.60:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.cheatengine.org
  • 104.20.94.94
  • 104.20.95.94
  • 172.67.35.220
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.19.126.145
  • 2.19.126.152
whitelisted
cdnjs.cloudflare.com
  • 104.17.25.14
  • 104.17.24.14
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.192
  • 2.23.209.193
  • 2.23.209.186
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.184
  • 2.23.209.190
  • 2.23.209.191
  • 2.23.209.150
  • 2.23.209.137
  • 2.23.209.142
  • 2.23.209.134
  • 2.23.209.140
  • 2.23.209.136
  • 2.23.209.139
  • 2.23.209.146
  • 2.23.209.135
  • 95.100.146.40
  • 95.100.146.8
  • 95.100.146.27
  • 95.100.146.32
  • 95.100.146.33
  • 95.100.146.35
  • 95.100.146.10
  • 95.100.146.18
  • 95.100.146.19
whitelisted

Threats

PID
Process
Class
Message
6564
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6564
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6564
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
Process
Message
Kernelmoduleunloader.exe
Kernelmodule unloader
Kernelmoduleunloader.exe
Running in wow64
Kernelmoduleunloader.exe
Setup. So do not show messages
Kernelmoduleunloader.exe
attempting to unload
Kernelmoduleunloader.exe
SCManager opened
Kernelmoduleunloader.exe
count=0
Kernelmoduleunloader.exe
setup=true
cheatengine-x86_64-SSE4-AVX2.exe
Lua thread terminated
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.cheatengine.org