URL:

drp.su

Full analysis: https://app.any.run/tasks/2045aaf7-a6b5-4870-986a-aae23ab6de5f
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 28, 2025, 09:32:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pua
adware
loader
auto
generic
Indicators:
MD5:

777D82FD44D829992C7E10EAA981C190

SHA1:

08A48D70164252D752ACC24DC1E9ADE164F37EBD

SHA256:

114597A353A46D1A4BCA1ED9E130727019E6F7E73EB3C41579A9966EDC3CABF0

SSDEEP:

3:DiQn:GQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • msedge.exe (PID: 7176)
      • svchost.exe (PID: 2196)
      • aria2c.exe (PID: 9072)
      • aria2c.exe (PID: 8940)
      • aria2c.exe (PID: 8584)
      • aria2c.exe (PID: 7768)

    • Downloads files via BITSADMIN.EXE

      • cmd.exe (PID: 8116)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5228)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 9092)

    • Starts Visual C# compiler

      • powershell.exe (PID: 5228)

  • SUSPICIOUS

    • Access to an unwanted program domain was detected

      • msedge.exe (PID: 7176)
      • svchost.exe (PID: 2196)
      • aria2c.exe (PID: 8940)
      • aria2c.exe (PID: 9072)
      • aria2c.exe (PID: 8584)
      • aria2c.exe (PID: 7768)

    • Process requests binary or script from the Internet

      • mshta.exe (PID: 7660)
      • mshta.exe (PID: 5392)
      • aria2c.exe (PID: 8584)
      • aria2c.exe (PID: 7768)
      • aria2c.exe (PID: 8940)
      • aria2c.exe (PID: 8824)
      • aria2c.exe (PID: 9072)

    • Query Microsoft Defender status

      • cmd.exe (PID: 7844)
      • mshta.exe (PID: 7660)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8368)
      • cmd.exe (PID: 8552)
      • cmd.exe (PID: 8692)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 8224)
      • cmd.exe (PID: 8832)
      • cmd.exe (PID: 9000)

    • Found strings related to reading or modifying Windows Defender settings

      • mshta.exe (PID: 7660)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7660)
      • cmd.exe (PID: 8764)
      • mshta.exe (PID: 8860)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7844)
      • cmd.exe (PID: 9092)

    • Cmdlet gets the status of antimalware software installed on the computer

      • cmd.exe (PID: 7844)

    • The process verifies whether the antivirus software is installed

      • mshta.exe (PID: 7660)

    • Unpacks CAB file

      • expand.exe (PID: 8248)

    • Drops 7-zip archiver for unpacking

      • expand.exe (PID: 8248)
      • 7za.exe (PID: 8372)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 8248)
      • 7za.exe (PID: 8372)
      • csc.exe (PID: 8236)
      • aria2c.exe (PID: 9072)

    • The executable file from the user directory is run by the CMD process

      • 7za.exe (PID: 8372)
      • driverpack-wget.exe (PID: 3996)
      • driverpack-wget.exe (PID: 8484)
      • driverpack-wget.exe (PID: 8464)
      • driverpack-wget.exe (PID: 8496)
      • driverpack-wget.exe (PID: 8628)
      • driverpack-wget.exe (PID: 8848)
      • driverpack-wget.exe (PID: 8928)
      • driverpack-wget.exe (PID: 3872)
      • driverpack-wget.exe (PID: 9028)
      • driverpack-wget.exe (PID: 3036)
      • driverpack-wget.exe (PID: 6652)
      • driverpack-wget.exe (PID: 7576)
      • driverpack-wget.exe (PID: 6456)
      • aria2c.exe (PID: 8824)
      • driverpack-wget.exe (PID: 8716)
      • driverpack-wget.exe (PID: 8360)
      • aria2c.exe (PID: 8940)
      • aria2c.exe (PID: 9072)
      • aria2c.exe (PID: 8584)
      • driverpack-wget.exe (PID: 7804)
      • aria2c.exe (PID: 7768)
      • driverpack-wget.exe (PID: 4896)
      • driverpack-wget.exe (PID: 4776)
      • driverpack-wget.exe (PID: 8720)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 8372)

    • Executing commands from a ".bat" file

      • mshta.exe (PID: 7660)
      • cmd.exe (PID: 8764)

    • Application launched itself

      • cmd.exe (PID: 8764)
      • mshta.exe (PID: 7660)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 9092)

    • Executing commands from ".cmd" file

      • mshta.exe (PID: 8860)

    • The process hides Powershell's copyright startup banner

      • cmd.exe (PID: 9092)

    • Get information on the list of running processes

      • cmd.exe (PID: 9092)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 9092)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 9144)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 9092)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 5228)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8236)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 8284)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 8412)

    • Potential Corporate Privacy Violation

      • aria2c.exe (PID: 8940)
      • aria2c.exe (PID: 8584)
      • aria2c.exe (PID: 8824)
      • aria2c.exe (PID: 7768)
      • aria2c.exe (PID: 9072)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8412)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 8060)
      • 7za.exe (PID: 8372)

    • Checks supported languages

      • identity_helper.exe (PID: 8060)
      • expand.exe (PID: 8248)
      • 7za.exe (PID: 8372)

    • Application launched itself

      • msedge.exe (PID: 680)

    • Reads Environment values

      • identity_helper.exe (PID: 8060)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 680)

    • Launch of the file from Downloads directory

      • msedge.exe (PID: 680)
      • msedge.exe (PID: 4208)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7660)
      • mshta.exe (PID: 8860)

    • Checks proxy server information

      • mshta.exe (PID: 7660)

    • Uses BITSADMIN.EXE

      • cmd.exe (PID: 8224)
      • cmd.exe (PID: 8368)
      • cmd.exe (PID: 8832)
      • cmd.exe (PID: 8552)
      • cmd.exe (PID: 8692)
      • cmd.exe (PID: 9000)

    • Reads the machine GUID from the registry

      • expand.exe (PID: 8248)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6852)

    • The sample compiled with english language support

      • expand.exe (PID: 8248)
      • 7za.exe (PID: 8372)

    • Create files in a temporary directory

      • expand.exe (PID: 8248)
      • 7za.exe (PID: 8372)

    • The sample compiled with russian language support

      • 7za.exe (PID: 8372)

    • Changes the display of characters in the console

      • cmd.exe (PID: 8412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
320
Monitored processes
184
Malicious processes
15
Suspicious processes
9

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs #ADWARE msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mshta.exe cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs expand.exe cmd.exe no specs conhost.exe no specs 7za.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs mshta.exe netsh.exe no specs #ADWARE svchost.exe csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs driverpack-wget.exe cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-7za.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe rundll32.exe no specs driverpack-wget.exe driverpack-wget.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs #ADWARE aria2c.exe #ADWARE aria2c.exe aria2c.exe #ADWARE aria2c.exe #ADWARE aria2c.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe

Process information

PID
CMD
Path
Indicators
Parent process
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "drp.su"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1512"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6932 --field-trial-handle=2360,i,14550808257769407034,2979946698938511211,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2040chcp 65001 C:\Windows\SysWOW64\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
2136"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4236 --field-trial-handle=2360,i,14550808257769407034,2979946698938511211,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3036"tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-2.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_69845.log" C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\Tools\driverpack-wget.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\beetle-cab\driverpack\tools\driverpack-wget.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
34 321
Read events
34 185
Write events
136
Delete events
0

Modification events

(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(680) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
148B0426C5942F00
(PID) Process:(680) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D9B60926C5942F00
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197452
Operation:writeName:WindowTabManagerFileMappingId
Value:
{3E536650-E2BE-4AD5-A030-8BAF1CCD31DB}
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197452
Operation:writeName:WindowTabManagerFileMappingId
Value:
{EB4ED41B-9F3D-442A-A4B0-29BAC950E1B2}
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197452
Operation:writeName:WindowTabManagerFileMappingId
Value:
{B14FCD14-DD0B-4A98-82FF-B4ED83BC165F}
(PID) Process:(680) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197452
Operation:writeName:WindowTabManagerFileMappingId
Value:
{C258FFDD-CE36-4BD2-A220-853FC0998DF4}
Executable files
13
Suspicious files
158
Text files
645
Unknown types
126

Dropped files

PID
Process
Filename
Type
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10a838.TMP
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10a848.TMP
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10a867.TMP
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10a8b5.TMP
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10a8b5.TMP
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
365
TCP/UDP connections
217
DNS requests
122
Threats
214

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/step1_av.html
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/style.css
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/client_ip.js
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js
unknown
whitelisted
7660
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7176
msedge.exe
13.107.43.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7176
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7176
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
680
msedge.exe
239.255.255.250:1900
whitelisted
7176
msedge.exe
82.145.55.129:80
drp.su
Iomart Cloud Services Limited
GB
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
config.edge.skype.com
  • 13.107.43.16
whitelisted
drp.su
  • 82.145.55.129
unknown
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
driverpack.io
  • 104.20.169.62
  • 104.20.168.62
malicious
www.bing.com
  • 92.123.104.31
  • 92.123.104.30
  • 92.123.104.18
  • 92.123.104.21
  • 92.123.104.26
  • 92.123.104.33
  • 92.123.104.19
  • 92.123.104.29
  • 92.123.104.34
whitelisted

Threats

PID
Process
Class
Message
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
7176
msedge.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
7176
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
7176
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
drp.su