URL:

https://screenpal.com/

Full analysis: https://app.any.run/tasks/3aaaadda-05c2-475d-a564-e84dcf13b43a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 05, 2025, 22:22:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
arch-exec
antivm
Indicators:
MD5:

1DE0A6D67F1BE724A7BD5B903D0DEA6A

SHA1:

76B660406C29E2C37BA9712365EC57C423B2D729

SHA256:

E6E6B15B9EE4C24CB0C753DD26C4A82DB8C4F0ECCBE706CB2CDD0B8950E10D44

SSDEEP:

3:N8LY8TK:2BK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for self-deleting

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)

    • Changes the autorun value in the registry

      • reg.exe (PID: 5620)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • explorer.exe (PID: 4772)

    • Executable content was dropped or overwritten

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)

    • Working with threads in the GNU C Compiler (GCC) libraries related mutex has been found

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)

    • Process drops legitimate windows executable

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)

    • The process drops C-runtime libraries

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)

    • The process creates files with name similar to system file names

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)

    • Creates a software uninstall entry

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)

    • Starts CMD.EXE for commands execution

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)
      • cmd.exe (PID: 7392)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)

    • Hides command output

      • cmd.exe (PID: 7392)

    • Application launched itself

      • ScreenPal.exe (PID: 7280)
      • cmd.exe (PID: 7392)
      • ScreenPal.exe (PID: 1148)
      • updater.exe (PID: 6200)

    • Reads security settings of Internet Explorer

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7392)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1496)

    • Process requests binary or script from the Internet

      • ScreenPal.exe (PID: 3648)

    • There is functionality for VM detection VirtualBox (YARA)

      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Uses REG/REGEDIT.EXE to modify registry

      • ScreenPal.exe (PID: 1336)

    • There is functionality for VM detection antiVM strings (YARA)

      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • There is functionality for VM detection VMWare (YARA)

      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Starts itself from another location

      • ScreenPal.exe (PID: 3648)

    • There is functionality for taking screenshot (YARA)

      • ScreenPal.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)

    • The process executes via Task Scheduler

      • updater.exe (PID: 6200)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 6648)

    • Checks supported languages

      • identity_helper.exe (PID: 7672)
      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 7280)
      • ScreenPal.exe (PID: 1148)
      • ScreenPal.exe (PID: 1336)
      • updater.exe (PID: 6200)
      • updater.exe (PID: 7200)

    • Reads Environment values

      • identity_helper.exe (PID: 7672)

    • Reads the computer name

      • identity_helper.exe (PID: 7672)
      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)
      • updater.exe (PID: 6200)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6648)
      • msedge.exe (PID: 2144)

    • The sample compiled with english language support

      • msedge.exe (PID: 6648)
      • msedge.exe (PID: 2144)
      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)

    • Checks proxy server information

      • slui.exe (PID: 7428)
      • explorer.exe (PID: 4772)

    • Reads the software policy settings

      • slui.exe (PID: 7428)
      • explorer.exe (PID: 4772)
      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4772)
      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Create files in a temporary directory

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Process checks computer location settings

      • ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe (PID: 1336)
      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Reads CPU info

      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Reads the machine GUID from the registry

      • ScreenPal.exe (PID: 3648)
      • ScreenPal.exe (PID: 1336)

    • Launching a file from a Registry key

      • reg.exe (PID: 5620)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
564
Monitored processes
412
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs explorer.exe screenpalsetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe screenpal.exe no specs screenpal.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs reg.exe no specs conhost.exe no specs screenpal.exe no specs reg.exe no specs screenpal.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe conhost.exe no specs msedge.exe no specs updater.exe no specs updater.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
32\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
72reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\shell\open\command" /veC:\Windows\System32\reg.exeScreenPal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
72reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\shell\open\command" /veC:\Windows\System32\reg.exeScreenPal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
188reg query HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera\shell\open\command /veC:\Windows\System32\reg.exeScreenPal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236cmd /C "del C:\Users\admin\Downloads\ScreenPalSetup-3.1.10.1_e710fd55-d96d-46f6-8c85-0083b7c86537.exe"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
236reg query HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Firefox-308046B0AF4A39CB\shell\open\command /veC:\Windows\System32\reg.exeScreenPal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
236reg query HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera\shell\open\command /veC:\Windows\System32\reg.exeScreenPal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
51 375
Read events
51 286
Write events
88
Delete events
1

Modification events

(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6648) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B8424D53CC972F00
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0272
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\655986
Operation:writeName:WindowTabManagerFileMappingId
Value:
{C6F84617-F171-4115-8974-6DC739D4F8EF}
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000070362
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\655986
Operation:writeName:WindowTabManagerFileMappingId
Value:
{1EDB1D7A-A6E1-4F57-A1B2-30CD9B0C6A83}
(PID) Process:(6648) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\655986
Operation:writeName:WindowTabManagerFileMappingId
Value:
{E107060D-9AD6-4B6F-B301-5DB5C16D9128}
Executable files
316
Suspicious files
472
Text files
370
Unknown types
0

Dropped files

PID
Process
Filename
Type
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF175861.TMP
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF175870.TMP
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF175870.TMP
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF175880.TMP
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF175861.TMP
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6648msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF175890.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
177
DNS requests
129
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2144
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:9Az8Imv6QMHc1UmFA_1JZzyY7whsjUmFs1BFRz7gojo&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7604
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752073499&P2=404&P3=2&P4=jaOsnoRECpy98%2bCsPQjV8qDnglPhBmsli1ZXv3r9WG8jY2p7FnVpcSkj18jIZHnLeFn6j7fGVga84hkNAIIhrg%3d%3d
unknown
whitelisted
8140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4580
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7604
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752073499&P2=404&P3=2&P4=jaOsnoRECpy98%2bCsPQjV8qDnglPhBmsli1ZXv3r9WG8jY2p7FnVpcSkj18jIZHnLeFn6j7fGVga84hkNAIIhrg%3d%3d
unknown
whitelisted
7604
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4c4fdee0-d69c-42b7-bf5c-3ec046e9dfc9?P1=1752073500&P2=404&P3=2&P4=l0wgxl2cAXaKYX0ZqOLj8aY26k9SkpUD2o%2bzz8VtmbOKmpRosihOLSaM1trOtZLUoRwOxgO0jFTPiaMV143sOA%3d%3d
unknown
whitelisted
7604
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752073499&P2=404&P3=2&P4=jaOsnoRECpy98%2bCsPQjV8qDnglPhBmsli1ZXv3r9WG8jY2p7FnVpcSkj18jIZHnLeFn6j7fGVga84hkNAIIhrg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1520
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2144
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2144
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2144
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2144
msedge.exe
3.161.75.221:443
d3but52g8hjy3q.cloudfront.net
US
whitelisted
2144
msedge.exe
18.209.75.206:443
screenpal.com
AMAZON-AES
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
screenpal.com
  • 18.209.75.206
  • 3.225.126.51
  • 54.236.97.36
unknown
copilot.microsoft.com
  • 104.126.37.169
  • 104.126.37.136
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
  • 2.23.227.208
  • 2.23.227.215
whitelisted
www.google-analytics.com
  • 142.250.186.174
whitelisted
www.googletagmanager.com
  • 142.250.185.232
whitelisted
d3but52g8hjy3q.cloudfront.net
  • 3.161.75.221
  • 3.161.75.32
  • 3.161.75.43
  • 3.161.75.141
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Potentially Bad Traffic
ET INFO Vulnerable Java Version 19.0.x Detected
Potentially Bad Traffic
ET INFO Vulnerable Java Version 19.0.x Detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://screenpal.com/