File name:

runner.exe

Full analysis: https://app.any.run/tasks/ba00e5ad-c45a-4d85-b0c1-b446b5a3351e
Verdict: Malicious activity
Analysis date: May 15, 2025, 20:07:29
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

41ED2C1B4A42CB62DC690A35A3354A0B

SHA1:

70F09169F464164C68FB3390CA0060A075989F7A

SHA256:

FE19F0C9599A9F30C3F036C13C5344EF806D394EEF530F1AA6BB4D4D037C45EF

SSDEEP:

3072:3D3FM0NWJO9XmbTlqL7Z3OUHTks3fi22SN5uoqI1GYv:ZOTJUHzPRN5Pqsv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • GameBar.exe (PID: 136)

    • Reads security settings of Internet Explorer

      • GameBar.exe (PID: 136)

  • INFO

    • Reads the computer name

      • GameBar.exe (PID: 136)
      • GameBarFTServer.exe (PID: 5948)

    • Checks supported languages

      • GameBar.exe (PID: 136)
      • GameBarFTServer.exe (PID: 5948)

    • Reads the time zone

      • GameBar.exe (PID: 136)

    • Creates files or folders in the user directory

      • GameBar.exe (PID: 136)
      • GameBarFTServer.exe (PID: 5948)

    • Reads the software policy settings

      • GameBar.exe (PID: 136)

    • Reads CPU info

      • GameBar.exe (PID: 136)

    • Reads the machine GUID from the registry

      • GameBar.exe (PID: 136)

    • Reads Environment values

      • GameBar.exe (PID: 136)
      • GameBarFTServer.exe (PID: 5948)

    • Checks proxy server information

      • GameBar.exe (PID: 136)

    • Reads product name

      • GameBar.exe (PID: 136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:06 17:29:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 173568
InitializedDataSize: 26624
UninitializedDataSize: -
EntryPoint: 0x2a32c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
108
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start runner.exe no specs conhost.exe no specs gamebar.exe gamebarftserver.exe

Process information

PID
CMD
Path
Indicators
Parent process
136"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_5.822.6271.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mcaC:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_5.822.6271.0_x64__8wekyb3d8bbwe\GameBar.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Xbox Game Bar
Version:
5.822.06271.0
Modules
Images
c:\program files\windowsapps\microsoft.xboxgamingoverlay_5.822.6271.0_x64__8wekyb3d8bbwe\gamebar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1640\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerunner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2864"C:\Users\admin\Desktop\runner.exe" C:\Users\admin\Desktop\runner.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\runner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
5948"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_5.822.6271.0_x64__8wekyb3d8bbwe\GameBarFTServer.exe" -EmbeddingC:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_5.822.6271.0_x64__8wekyb3d8bbwe\GameBarFTServer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Xbox Game Bar Full Trust COM Server
Version:
5.822.06271.0
Modules
Images
c:\program files\windowsapps\microsoft.xboxgamingoverlay_5.822.6271.0_x64__8wekyb3d8bbwe\gamebarftserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
9 252
Read events
9 236
Write events
16
Delete events
0

Modification events

(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:KGLOneSettingsVersion
Value:
75080000C8945302D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:KGLOneSettingsUri
Value:
680074007400700073003A002F002F0064006C006100730073006500740073002D00730073006C002E00780062006F0078006C006900760065002E0063006F006D002F007000750062006C00690063002F0063006F006E00740065006E0074002F006B0067006C002F00560065007200730069006F006E002F0032003100360035002F006B0067006C002E0032003100360035002E0063006F006D0070007200650073007300650064000000C8945302D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:KGLOneSettingsHash
Value:
42004200330035003700310046003400390036004500310042003800300035003300320045003900340039004600320037003300370038003300390030003300410042004500310043003300390038003700460037003300410041003200330039003900420041003900460035003900340033004500390039003300300046000000C8945302D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:KGLOneSettingsCheckTimeout
Value:
68010000C8945302D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:InstalledVersionMajor
Value:
0500C0055E01D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:InstalledVersionMinor
Value:
3603C0055E01D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:InstalledVersionBuild
Value:
7F18C0055E01D5C5DB01
(PID) Process:(136) GameBar.exeKey:\REGISTRY\A\{df000b5e-37b2-ef4e-b0fe-e0563ec78544}\LocalState
Operation:writeName:InstalledVersionRevision
Value:
0000C0055E01D5C5DB01
(PID) Process:(136) GameBar.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(136) GameBar.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
136GameBar.exeC:\Users\admin\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\profileDataSettings.txt.~tmpbinary
MD5:7BFC65234E5E5ED3D901C63EB8B71E38
SHA256:902881DCAB44CF62CC3B976FA0E4F4A1DFFF25EDD2FF768A2004E2AE1F77A05A
136GameBar.exeC:\Users\admin\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\profileDataSettings.txtbinary
MD5:7BFC65234E5E5ED3D901C63EB8B71E38
SHA256:902881DCAB44CF62CC3B976FA0E4F4A1DFFF25EDD2FF768A2004E2AE1F77A05A
136GameBar.exeC:\Users\admin\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\profileDataSettings.txt~RF165b44.TMPbinary
MD5:452516F224C76B421714DF6598174F4F
SHA256:FBEFDF698EB346C2D2C039027363A6D1219552D7366ED9C5C703AB82826EF223
136GameBar.exeC:\Users\admin\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC\INetCache\3I6S3GGB\ab[1].jsonbinary
MD5:F74B87058ACB970E0605E4C3C44D91AC
SHA256:F9846EF5E0E2D7A198B1AF5B80943C393F80B8E6198B2D8DAF9373E55C0C301F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
12
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1748
smartscreen.exe
GET
200
23.53.40.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42f29af7bd9fe602
unknown
whitelisted
1352
svchost.exe
GET
200
2.16.168.101:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ae0cec35f73e7201
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b05648a3364df18d
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?4419ccff5da2d8ed
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b5c209eb39f9a373
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?80c9fc5b6fdd1136
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
2.16.168.101:80
Akamai International B.V.
RU
unknown
1748
smartscreen.exe
48.209.180.244:443
checkappexec.microsoft.com
US
whitelisted
1748
smartscreen.exe
23.53.40.35:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
136
GameBar.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
136
GameBar.exe
13.107.5.91:443
www.xboxab.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4288
svchost.exe
23.212.222.21:443
fs.microsoft.com
AKAMAI-AS
AU
whitelisted
4432
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4500
svchost.exe
20.161.173.205:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
checkappexec.microsoft.com
  • 48.209.180.244
whitelisted
ctldl.windowsupdate.com
  • 23.53.40.35
  • 23.53.40.49
  • 23.53.40.83
  • 208.89.74.19
  • 208.89.74.31
  • 208.89.74.29
  • 208.89.74.27
  • 208.89.74.23
  • 208.89.74.21
  • 208.89.74.17
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.xboxab.com
  • 13.107.5.91
whitelisted
fs.microsoft.com
  • 23.212.222.21
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.130
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.65
  • 40.126.32.133
  • 20.190.160.64
  • 40.126.32.134
  • 20.190.160.17
  • 20.190.160.5
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.20
  • 20.190.160.4
whitelisted
licensing.mp.microsoft.com
  • 20.161.173.205
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
self.events.data.microsoft.com
  • 20.189.173.18
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
GameBarFTServer.exe
[TRACE] The DiagOutputDir folder is accessible
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
runner.exe