URL:

https://www.baidu.com/link?url=S-R6yxLOnoIaZXzLeVC0I5rmjksequrd9lC8XA3Xx9DQya_DC6wFS4-6WSpLAlyW&wd=&eqid=97c4c6ad000383ec00000002681c6726

Full analysis: https://app.any.run/tasks/4ce3ece0-b5b6-4fd6-9cbb-b1c581a245a3
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 09, 2025, 18:23:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
xor-url
generic
stealer
Indicators:
MD5:

195E583F5FFE7649B31654D51A6A9454

SHA1:

12B25CDA54A4FCA4A77B9EB5E7D0CAB12A6470AD

SHA256:

FFADDA22A051B98752BDF2D75843619292460B8EDD0D889E97A6D8B516EA6425

SSDEEP:

3:N8DSLkqWXJnE+l1BDxXyeUQRcJxlThmefyyKYBYcUMZDumV//ZUGeDn:2OLkqQJVBNr61UcyyfBmiXqfn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • GENERIC has been found (auto)

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Actions looks like stealing of personal data

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • SoftupNotify.exe (PID: 6584)
      • 360Tray.exe (PID: 6572)

    • Executing a file with an untrusted certificate

      • 360SecLogonHelper.exe (PID: 4180)
      • AdvUtils.exe (PID: 4208)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Executable content was dropped or overwritten

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • EaInstHelper64.exe (PID: 7652)
      • 360Tray.exe (PID: 6572)

    • The process verifies whether the antivirus software is installed

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • There is functionality for taking screenshot (YARA)

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Process requests binary or script from the Internet

      • explorer.exe (PID: 5492)
      • 文件传输助手_1077_80821.exe (PID: 7636)
      • 360Tray.exe (PID: 6572)

    • Potential Corporate Privacy Violation

      • explorer.exe (PID: 5492)
      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Drops 7-zip archiver for unpacking

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Drops a system driver (possible attempt to evade defenses)

      • EaInstHelper64.exe (PID: 7652)
      • 360Tray.exe (PID: 6572)
      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Executes as Windows Service

      • ZhuDongFangYu.exe (PID: 6468)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 5244)
      • 文件传输助手_1077_80821.exe (PID: 7636)
      • zoolsaFwAuXuH22.exe (PID: 6944)

    • Checks supported languages

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • identity_helper.exe (PID: 5244)
      • zoolsaFwAuXuH22.exe (PID: 6944)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7360)
      • msedge.exe (PID: 5576)
      • msedge.exe (PID: 7924)

    • Reads Environment values

      • identity_helper.exe (PID: 5244)

    • Application launched itself

      • msedge.exe (PID: 5576)

    • Checks proxy server information

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • explorer.exe (PID: 5492)
      • slui.exe (PID: 4608)

    • Reads the machine GUID from the registry

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Creates files or folders in the user directory

      • 文件传输助手_1077_80821.exe (PID: 7636)

    • Create files in a temporary directory

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • explorer.exe (PID: 5492)

    • Reads the software policy settings

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • slui.exe (PID: 3192)
      • slui.exe (PID: 4608)

    • The sample compiled with chinese language support

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • EaInstHelper64.exe (PID: 7652)
      • 360Tray.exe (PID: 6572)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • The sample compiled with english language support

      • 文件传输助手_1077_80821.exe (PID: 7636)
      • msedge.exe (PID: 7924)

    • Creates files in the program directory

      • 文件传输助手_1077_80821.exe (PID: 7636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7636) 文件传输助手_1077_80821.exe
Decrypted-URLs (83)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://chp.f.360.cn/wdcquery
http://cp.uidf.f.360.cn/wpeinfo
http://crl.globalsign.com/ca/gstsacasha384g4.crl0
http://crl.globalsign.com/codesigningrootr45.crl0U
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
http://crl.globalsign.com/root-r6.crl0G
http://crl.globalsign.net/root-r3.crl0
http://crl.globalsign.net/root.crl0
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://crl.verisign.com/pca3-g5.crl04
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://dl.360safe.com/gf/%u.cab
http://dl.360safe.com/gf/def.cab
http://down.360safe.com/setup.exe
http://down.360safe.com/setupbeta.exe
http://hao.360.cn/?ln=360ini
http://logo.verisign.com/vslogo.gif04
http://my.360.com
http://my.360safe.com
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp.globalsign.com/ca/gstsacasha384g40C
http://ocsp.globalsign.com/codesigningrootr450F
http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
http://ocsp.thawte.com0
http://ocsp.verisign.com0
http://ocsp2.globalsign.com/gstimestampingsha2g20
http://ocsp2.globalsign.com/rootr606
http://pinst.360.cn/360safebeta/safebeta_home.cab
http://pinst.360.cn/360sd/360sd_min.cab
http://s.360.cn/hips/update/inst.htm?m=%s&v=%s&s=%d&r=%d&d=%s&oav=%d
http://s.360.cn/safe/install.html?mid=%s&
http://s.360.cn/safe/setupsperr.htm?mid=%s
http://s1.symcb.com/pca3-g5.crl0
http://s2.symcb.com0
http://sd.360.cn
http://sd.360.cn/downloadbeta.html
http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
http://sf.symcb.com/sf.crl0a
http://sf.symcb.com/sf.crl0f
http://sf.symcb.com/sf.crt0
http://sfdl.360safe.com/inst_gf_popup.exe
http://sfdl.360safe.com/inst_gf_popup_ev.exe
http://sfdl.360safe.com/inst_js_popup.exe
http://sfdl.360safe.com/inst_js_popup_ev.exe
http://stat.sd.360.cn/setupfail.htm?pid=%s&case=%d
http://sv.symcb.com/sv.crl0a
http://sv.symcb.com/sv.crl0f
http://sv.symcb.com/sv.crt0
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
http://www.2345.com/?pic360
http://www.360.cn
http://www.360.cn/killer/360compkill.html
http://www.360.cn/userexperienceimprovement.html
http://www.360.cn/xukexieyi.html#shadu
http://www.360safe.com
http://www.360safe.com/repair.html
http://www.symauth.com/cps0(
http://www.symauth.com/rpa00
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0
https://hao.360.cn/
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.globalsign.com/repository/06
https://www.verisign.com/cps0*
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
231
Monitored processes
95
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 文件传输助手_1077_80821.exe no specs #XOR-URL 文件传输助手_1077_80821.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs explorer.exe msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs zoolsafwauxuh22.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs regsvr32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 360seclogonhelper.exe popwndtracker.exe no specs eainsthelper.exe no specs eainsthelper64.exe zhudongfangyu.exe no specs powersaver.exe no specs 360cleanhelper.exe no specs 360tray.exe softupnotify.exe no specs zhudongfangyu.exe no specs zhudongfangyu.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs msedge.exe no specs advutils.exe no specs 360settingcenter.exe no specs wscreg.exe no specs 360enthelper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
808"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7900 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7388 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4952 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x304,0x308,0x30c,0x2fc,0x314,0x7ffc88825fd8,0x7ffc88825fe4,0x7ffc88825ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=4384 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2332"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5196 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll"C:\Windows\System32\regsvr32.exe文件传输助手_1077_80821.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2516"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\Utils\analyst.dll"C:\Windows\SysWOW64\regsvr32.exe360Tray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2568"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6692 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
2568"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2324,i,3818971414330647077,3489706807127187702,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
42 732
Read events
33 295
Write events
3 909
Delete events
5 528

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005030A
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5576) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
5783EB594E932F00
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5576) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
74B1E2594E932F00
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328458
Operation:writeName:WindowTabManagerFileMappingId
Value:
{5E01E262-D2E9-4862-ABFC-320680044C70}
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328458
Operation:writeName:WindowTabManagerFileMappingId
Value:
{30828651-E236-49E6-81F9-7A321F950ABB}
(PID) Process:(5576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328458
Operation:writeName:WindowTabManagerFileMappingId
Value:
{12DEF315-C11A-4EB6-BF88-98E99BA71DD3}
Executable files
963
Suspicious files
1 406
Text files
1 439
Unknown types
1

Dropped files

PID
Process
Filename
Type
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b5e4.TMP
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b5f4.TMP
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b603.TMP
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b613.TMP
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b613.TMP
MD5:
SHA256:
5576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
226
TCP/UDP connections
361
DNS requests
194
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7636
文件传输助手_1077_80821.exe
GET
200
101.198.2.147:80
http://s.360.cn/safe/instcomp.htm?soft=2023040419&status=1&pid=3112964&mid=80342cb959da2233832ae840f019ccba&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7636
文件传输助手_1077_80821.exe
HEAD
200
104.192.108.21:80
http://sfdl.360safe.com/gf/360ini.cab
unknown
whitelisted
3268
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7636
文件传输助手_1077_80821.exe
GET
200
163.181.92.203:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
unknown
whitelisted
7636
文件传输助手_1077_80821.exe
GET
200
163.181.92.203:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAGWohoEOGL3nbC0zhWisZE%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
7360
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5576
msedge.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.175
  • 23.48.23.184
  • 23.48.23.177
  • 23.48.23.189
  • 23.48.23.183
  • 23.48.23.191
  • 23.48.23.180
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.46
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
www.baidu.com
  • 103.235.46.102
  • 103.235.46.115
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
bzib.nelreports.net
  • 2.16.106.35
  • 2.16.106.17
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.52
  • 92.123.104.19
  • 92.123.104.34
  • 92.123.104.28
  • 92.123.104.49
  • 92.123.104.33
  • 92.123.104.31
  • 92.123.104.59
  • 92.123.104.21
  • 92.123.104.38
  • 92.123.104.47
  • 92.123.104.62
whitelisted

Threats

PID
Process
Class
Message
5492
explorer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5492
explorer.exe
Misc activity
ET INFO Packed Executable Download
7636
文件传输助手_1077_80821.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7636
文件传输助手_1077_80821.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.baidu.com/link?url=S-R6yxLOnoIaZXzLeVC0I5rmjksequrd9lC8XA3Xx9DQya_DC6wFS4-6WSpLAlyW&wd=&eqid=97c4c6ad000383ec00000002681c6726