URL:

https://limewire.com/d/6ab5b20b-be1c-41ee-94a2-343249b2e17f#eeoUR9NVwpzZp_RNgXAR6bCqskKIYN3FGTwkiGuPJrU

Full analysis: https://app.any.run/tasks/bbb07293-2883-47a7-a35e-18df6b41e10e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 22, 2025, 20:08:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
delphi
inno
installer
loader
Indicators:
MD5:

B61BCFC6DCB7C2091FFB795A04730E80

SHA1:

F092766272E517076BE47B91C8C50E3CD1C86E94

SHA256:

EEB46D399722A42E51E2A1DB4E3F6862B3987A085E4CD33A91F86B2BB7C3070B

SSDEEP:

3:N8MIA/enKTfHXtrN3Rezl3cno9+TGJtAw:2MIA/eKTfHRNhm3cno9RJ/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)
      • ProtonInstaller.exe (PID: 4944)
      • ProtonVPN.exe (PID: 5192)
      • ProtonVPNService.exe (PID: 5472)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • ProtonVPN_v3.5.2_x64.exe (PID: 6436)
      • ProtonVPN.Launcher.exe (PID: 8152)

    • Actions looks like stealing of personal data

      • csrss.exe (PID: 616)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • ProtonVPN.Launcher.exe (PID: 8152)
      • ProtonVPN.exe (PID: 5192)
      • ProtonVPNService.exe (PID: 5472)
      • csrss.exe (PID: 532)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • ProtonVPN.exe (PID: 5192)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • msiexec.exe (PID: 4628)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • MicrosoftEdge_X64_133.0.3065.82.exe (PID: 7004)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • setup.exe (PID: 6900)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • rundll32.exe (PID: 6508)
      • rundll32.exe (PID: 7812)
      • rundll32.exe (PID: 5528)
      • ProtonVPN_v3.5.2_x64.exe (PID: 6436)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)

    • Reads the Windows owner or organization settings

      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • msiexec.exe (PID: 4628)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)

    • Reads security settings of Internet Explorer

      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • ProtonVPN.exe (PID: 5192)

    • Drops a system driver (possible attempt to evade defenses)

      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)

    • The process drops C-runtime libraries

      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • msiexec.exe (PID: 4628)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • MicrosoftEdgeUpdate.exe (PID: 6280)

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdge_X64_133.0.3065.82.exe (PID: 7004)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • setup.exe (PID: 6900)
      • msiexec.exe (PID: 4628)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6328)
      • MicrosoftEdgeUpdate.exe (PID: 6268)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7008)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6280)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 5936)

    • Application launched itself

      • setup.exe (PID: 6900)
      • MicrosoftEdgeUpdate.exe (PID: 5936)

    • Searches for installed software

      • setup.exe (PID: 6900)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)
      • ProtonVPNService.exe (PID: 5472)

    • Creates a software uninstall entry

      • setup.exe (PID: 6900)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)

    • Executes as Windows Service

      • ProtonVPNService.exe (PID: 5472)

    • Uses RUNDLL32.EXE to load library

      • msiexec.exe (PID: 6504)

    • Changes default file association

      • msiexec.exe (PID: 4628)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 2212)
      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • identity_helper.exe (PID: 6220)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdgeUpdate.exe (PID: 6268)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6328)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
      • MicrosoftEdgeUpdate.exe (PID: 4932)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7008)
      • MicrosoftEdgeUpdate.exe (PID: 7556)
      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • MicrosoftEdge_X64_133.0.3065.82.exe (PID: 7004)
      • setup.exe (PID: 6900)
      • setup.exe (PID: 3952)
      • ProtonInstaller.exe (PID: 4944)
      • ProtonVPN.exe (PID: 5192)
      • wixprqba.exe (PID: 7776)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • wixiuiba.exe (PID: 6584)
      • ProtonVPNService.exe (PID: 5472)
      • msiexec.exe (PID: 4628)
      • msiexec.exe (PID: 6504)
      • ProtonVPN_v3.5.2_x64.exe (PID: 6436)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)
      • MicrosoftEdgeUpdate.exe (PID: 7336)
      • ProtonVPN.Launcher.exe (PID: 8152)

    • Reads Environment values

      • identity_helper.exe (PID: 2212)
      • identity_helper.exe (PID: 6220)
      • MicrosoftEdgeUpdate.exe (PID: 4932)
      • msiexec.exe (PID: 4628)
      • MicrosoftEdgeUpdate.exe (PID: 7336)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4624)
      • msedge.exe (PID: 6352)
      • msiexec.exe (PID: 4628)

    • Reads the computer name

      • identity_helper.exe (PID: 6220)
      • identity_helper.exe (PID: 2212)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdgeUpdate.exe (PID: 6268)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6328)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7008)
      • MicrosoftEdgeUpdate.exe (PID: 4932)
      • MicrosoftEdgeUpdate.exe (PID: 7556)
      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • MicrosoftEdge_X64_133.0.3065.82.exe (PID: 7004)
      • setup.exe (PID: 6900)
      • ProtonInstaller.exe (PID: 4944)
      • ProtonVPN.exe (PID: 5192)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • ProtonVPNService.exe (PID: 5472)
      • msiexec.exe (PID: 4628)
      • msiexec.exe (PID: 6504)
      • ProtonVPN_v3.5.2_x64.exe (PID: 6436)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)
      • MicrosoftEdgeUpdate.exe (PID: 7336)

    • Application launched itself

      • msedge.exe (PID: 7852)
      • msedge.exe (PID: 4624)
      • msiexec.exe (PID: 4628)

    • Create files in a temporary directory

      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • ProtonInstaller.exe (PID: 4944)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • rundll32.exe (PID: 7812)
      • rundll32.exe (PID: 5528)
      • rundll32.exe (PID: 6508)

    • Manual execution by a user

      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • ProtonInstaller.exe (PID: 4944)

    • Process checks computer location settings

      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • setup.exe (PID: 6900)
      • ProtonVPN.exe (PID: 5192)
      • ProtonVPNService.exe (PID: 5472)

    • Detects InnoSetup installer (YARA)

      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)

    • Compiled with Borland Delphi (YARA)

      • ProtonVPN_v3.5.1_x64.exe (PID: 7128)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • ProtonVPN_v3.5.1_x64.tmp (PID: 2440)
      • ProtonVPN_v3.5.1_x64.exe (PID: 6820)

    • The sample compiled with english language support

      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7020)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdge_X64_133.0.3065.82.exe (PID: 7004)
      • setup.exe (PID: 6900)
      • msedge.exe (PID: 6352)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • msiexec.exe (PID: 4628)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)

    • Creates files in the program directory

      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • ProtonVPN.exe (PID: 5192)
      • ProtonVPN.Launcher.exe (PID: 8152)
      • ProtonVPNService.exe (PID: 5472)
      • ProtonVPN_v3.5.2_x64.tmp (PID: 6444)

    • Creates a software uninstall entry

      • ProtonVPN_v3.5.1_x64.tmp (PID: 3732)
      • msiexec.exe (PID: 4628)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • MicrosoftEdge_X64_133.0.3065.82.exe (PID: 7004)
      • setup.exe (PID: 3952)
      • setup.exe (PID: 6900)
      • ProtonVPN.exe (PID: 5192)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
      • msiexec.exe (PID: 4628)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 4932)
      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • MicrosoftEdgeUpdate.exe (PID: 7336)
      • ProtonVPN.exe (PID: 5192)
      • ProtonInstaller.exe (PID: 4944)
      • ProtonVPNService.exe (PID: 5472)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 4932)
      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • ProtonInstaller.exe (PID: 4944)
      • MicrosoftEdgeUpdate.exe (PID: 7336)
      • ProtonVPN.exe (PID: 5192)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 5936)
      • Proton%20Drive%20Setup%201.9.0.exe (PID: 556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
241
Monitored processes
109
Malicious processes
20
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs protonvpn_v3.5.1_x64.exe protonvpn_v3.5.1_x64.tmp protonvpn_v3.5.1_x64.exe protonvpn_v3.5.1_x64.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedge_x64_133.0.3065.82.exe setup.exe setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgeupdate.exe protoninstaller.exe protonvpn.launcher.exe protonvpn.exe msedge.exe protonvpnservice.exe msedge.exe no specs proton%20drive%20setup%201.9.0.exe wixprqba.exe no specs wixiuiba.exe no specs msiexec.exe msedge.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe protonvpn_v3.5.2_x64.exe protonvpn_v3.5.2_x64.tmp csrss.exe csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4228 --field-trial-handle=2384,i,8550755231257094024,1943406065801540558,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
372"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5336 --field-trial-handle=2208,i,6726220432544722979,15616111283631733626,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
372"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6064 --field-trial-handle=2208,i,6726220432544722979,15616111283631733626,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
532%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
556"C:\Users\admin\AppData\Local\Temp\Proton%20Drive%20Setup%201.9.0.exe" Source=vpn /quiet NoAutoLaunch=1C:\Users\admin\AppData\Local\Temp\Proton%20Drive%20Setup%201.9.0.exe
ProtonInstaller.exe
User:
admin
Company:
Proton AG
Integrity Level:
MEDIUM
Description:
Proton Drive
Exit code:
0
Version:
1.9.0
Modules
Images
c:\users\admin\appdata\local\temp\proton%20drive%20setup%201.9.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
616%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
768"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5100 --field-trial-handle=2384,i,8550755231257094024,1943406065801540558,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1476"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5504 --field-trial-handle=2384,i,8550755231257094024,1943406065801540558,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3748 --field-trial-handle=2384,i,8550755231257094024,1943406065801540558,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5168 --field-trial-handle=2384,i,8550755231257094024,1943406065801540558,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 391
Read events
35 451
Write events
2 857
Delete events
83

Modification events

(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4624) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
46CE20F4568D2F00
(PID) Process:(4624) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C39749F4568D2F00
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\524968
Operation:writeName:WindowTabManagerFileMappingId
Value:
{4FD7CBB9-9C8A-4B41-AA1D-1DD4C42B44BD}
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\524968
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7F60F74A-E0E4-42AE-8BE0-F0AE236A4D6E}
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\524968
Operation:writeName:WindowTabManagerFileMappingId
Value:
{0016707B-3B28-4383-A21B-BBD6E8FF297A}
(PID) Process:(4624) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\524968
Operation:writeName:WindowTabManagerFileMappingId
Value:
{69743F44-30FE-4702-A3F7-6ED480ECCDF7}
Executable files
1 820
Suspicious files
707
Text files
236
Unknown types
0

Dropped files

PID
Process
Filename
Type
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135efc.TMP
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135f2a.TMP
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135f2a.TMP
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135f3a.TMP
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135f3a.TMP
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4624msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
59
TCP/UDP connections
105
DNS requests
110
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
524
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7320
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRd0JozUYXMqqW4y4zJTrLcMCRSkAQUgTKSQSsozUbIxKLGKjkS7EipPxQCEAwHEuipsfrtSa2fm%2B8l0P0%3D
unknown
whitelisted
7824
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7800e4ef-77a6-478d-979e-60a169311c1e?P1=1740633403&P2=404&P3=2&P4=H84ZZrXIJZEUQqY3508HkMGHoOPhM3S3Z%2fnNOzuqW%2fUxabKfu4YTVMdWXMO879WbxivK75jKWxaVunYo9DiPAw%3d%3d
unknown
whitelisted
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEDPXCKiRQFMZ4qW70zm5rW4%3D
unknown
whitelisted
4624
msedge.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
524
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
524
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.64:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6416
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4624
msedge.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 92.123.104.64
  • 92.123.104.10
  • 92.123.104.66
  • 92.123.104.12
  • 92.123.104.16
  • 92.123.104.11
  • 92.123.104.5
  • 92.123.104.9
  • 92.123.104.6
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.44
whitelisted
limewire.com
  • 104.22.37.240
  • 104.22.36.240
  • 172.67.26.165
unknown

Threats

PID
Process
Class
Message
6416
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
6416
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
6416
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
6416
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://limewire.com/d/6ab5b20b-be1c-41ee-94a2-343249b2e17f#eeoUR9NVwpzZp_RNgXAR6bCqskKIYN3FGTwkiGuPJrU