URL:

https://zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev/Verify-to-Continue-ID-rttpros-260301-4223.html

Full analysis: https://app.any.run/tasks/4a54d87f-9937-47d5-b188-a7e0ac458fd6
Verdict: Malicious activity
Threats:

ClickFix is a sophisticated social engineering technique that tricks users into manually executing malicious commands on their devices. It masquerades as a "quick fix" for fake technical issues, CAPTCHA verifications, or error messages, often hijacking the clipboard to paste harmful PowerShell or terminal commands. This user-assisted approach helps it bypass traditional security controls, leading to infostealers like Lumma Stealer, RATs, and other malware.

Malware Trends Tracker     >>>
Analysis date: March 02, 2026, 21:38:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
obfuscated-js
susp-clipboard
clickfix
hijackloader
stealer
loader
Indicators:
MD5:

81F3A506AF706B7AD5678BA8F30BE209

SHA1:

2A24D6CDD6B26C996BD734C991A70945C5B5FF1B

SHA256:

15D899E30BC47A1D7E280797C6030E62A47D469C045D8624549D8D248B4D9A96

SSDEEP:

3:N8HzOpESODkrFR0RwVahSGLQ:2e7ODQAHC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • May hide the program window using WMI (SCRIPT)

      • mshta.exe (PID: 2856)

    • HIJACKLOADER has been detected (YARA)

      • ConsPeer64.exe (PID: 7368)
      • HypeProfiler.exe (PID: 8020)
      • Crisp.exe (PID: 6392)

    • Steals credentials from Web Browsers

      • HypeProfiler.exe (PID: 8020)

    • Actions looks like stealing of personal data

      • HypeProfiler.exe (PID: 8020)

    • HIJACKLOADER has been detected (SURICATA)

      • HypeProfiler.exe (PID: 8020)

  • SUSPICIOUS

    • Suspicious clipboard command

      • [System Process] (PID: 0)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 8720)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 8720)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • mshta.exe (PID: 2856)

    • Creates an object to access WMI (SCRIPT)

      • mshta.exe (PID: 2856)

    • Executed via WMI

      • powershell.exe (PID: 8720)

    • Starts itself from another location

      • ConsPeer64.exe (PID: 1432)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4020)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 8720)

    • Contacting a server suspected of hosting an CnC

      • HypeProfiler.exe (PID: 8020)

    • Possible stealing from crypto wallets

      • HypeProfiler.exe (PID: 8020)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 9208)
      • firefox.exe (PID: 6908)
      • firefox.exe (PID: 7608)
      • chrome.exe (PID: 8568)
      • chrome.exe (PID: 7412)

    • Reads Environment values

      • identity_helper.exe (PID: 3588)

    • Reads the computer name

      • identity_helper.exe (PID: 3588)
      • msiexec.exe (PID: 4020)
      • ConsPeer64.exe (PID: 1432)
      • ConsPeer64.exe (PID: 7368)
      • HypeProfiler.exe (PID: 8020)
      • Crisp.exe (PID: 6392)

    • Checks supported languages

      • identity_helper.exe (PID: 3588)
      • ConsPeer64.exe (PID: 1432)
      • ConsPeer64.exe (PID: 7368)
      • HypeProfiler.exe (PID: 8020)
      • msiexec.exe (PID: 4020)
      • Crisp.exe (PID: 6392)

    • Drops script file

      • msedge.exe (PID: 3508)
      • powershell.exe (PID: 8720)
      • firefox.exe (PID: 7608)

    • Manual execution by a user

      • osk.exe (PID: 4336)
      • mshta.exe (PID: 2856)
      • osk.exe (PID: 8132)
      • firefox.exe (PID: 6908)
      • chrome.exe (PID: 8568)
      • chrome.exe (PID: 7412)

    • Page contains obfuscated JavaScript

      • msedge.exe (PID: 9208)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2856)

    • Checks proxy server information

      • mshta.exe (PID: 2856)
      • powershell.exe (PID: 8720)
      • slui.exe (PID: 3664)

    • Disables trace logs

      • powershell.exe (PID: 8720)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4020)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4020)
      • ConsPeer64.exe (PID: 7368)

    • Creates files in the program directory

      • ConsPeer64.exe (PID: 1432)
      • HypeProfiler.exe (PID: 8020)

    • There is functionality for taking screenshot (YARA)

      • ConsPeer64.exe (PID: 7368)
      • HypeProfiler.exe (PID: 8020)

    • Create files in a temporary directory

      • ConsPeer64.exe (PID: 7368)
      • HypeProfiler.exe (PID: 8020)
      • Crisp.exe (PID: 6392)

    • Reads the machine GUID from the registry

      • HypeProfiler.exe (PID: 8020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
81
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs osk.exe no specs osk.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs mshta.exe UIAutomationCrossBitnessHook32 Class no specs powershell.exe conhost.exe no specs slui.exe msiexec.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs conspeer64.exe no specs msedge.exe no specs #HIJACKLOADER conspeer64.exe no specs msedge.exe no specs #HIJACKLOADER hypeprofiler.exe msedge.exe no specs firefox.exe no specs firefox.exe msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs rundll32.exe no specs firefox.exe no specs #HIJACKLOADER crisp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #SUSP-CLIPBOARD [system process] no specs

Process information

PID
CMD
Path
Indicators
Parent process
0[System Process]
[System Process]
Integrity Level:
UNKNOWN
224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
272"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4872 -prefsLen 45267 -prefMapHandle 4876 -prefMapSize 272981 -ipcHandle 4884 -initialChannelId {62273a45-27e4-4dcf-b4d4-035d212a1c1e} -parentPid 7608 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7608" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
684C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
824"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5144 -prefsLen 39330 -prefMapHandle 5148 -prefMapSize 272981 -jsInitHandle 5152 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4928 -initialChannelId {2183d8fa-0ed6-4271-b5bd-88680b1b6010} -parentPid 7608 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7608" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2384,i,17340191597159155738,2528505525002931627,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2400 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1432"C:\Users\admin\AppData\Local\Forestage\ConsPeer64.exe"C:\Users\admin\AppData\Local\Forestage\ConsPeer64.exemsiexec.exe
User:
admin
Company:
Wondershare
Integrity Level:
MEDIUM
Description:
URLReqService
Exit code:
0
Version:
2, 6, 3, 3
Modules
Images
c:\users\admin\appdata\local\forestage\conspeer64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1524"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4996,i,15901678711812060304,17290237840144518008,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
1876"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5292,i,15901678711812060304,17290237840144518008,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2016"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4260,i,15901678711812060304,17290237840144518008,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 850
Read events
13 516
Write events
325
Delete events
9

Modification events

(PID) Process:(4336) osk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp
Operation:writeName:osk
Value:
3
(PID) Process:(4336) osk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp
Operation:writeName:osk
Value:
1
(PID) Process:(4336) osk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility
Operation:writeName:Configuration
Value:
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1
Operation:writeName:SecureConfiguration
Value:
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1
Operation:writeName:Configuration
Value:
osk
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1\ATConfig\Osk
Operation:writeName:WindowLeft
Value:
100
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1\ATConfig\Osk
Operation:writeName:WindowTop
Value:
100
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1\ATConfig\Osk
Operation:writeName:WindowWidth
Value:
1088
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1\ATConfig\Osk
Operation:writeName:WindowHeight
Value:
311
(PID) Process:(4336) osk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1\ATConfig\Osk
Operation:writeName:ClickSound
Value:
1
Executable files
0
Suspicious files
35
Text files
217
Unknown types
568

Dropped files

PID
Process
Filename
Type
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e5978.TMP
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e5978.TMP
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e5978.TMP
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e5978.TMP
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1e5988.TMP
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
9208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1e5997.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
244
TCP/UDP connections
144
DNS requests
178
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7748
msedge.exe
GET
200
52.123.224.69:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=66&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
binary
4.30 Kb
whitelisted
7748
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:KPp7eQ6ceGd5koaL6JPtdeDJ94_OiU-wwRgzvRDpBM4&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
binary
100 b
whitelisted
7748
msedge.exe
GET
200
130.61.151.221:443
https://zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev/Verify-to-Continue-ID-rttpros-260301-4223.html
US
binary
216 Kb
unknown
7748
msedge.exe
GET
200
13.107.246.44:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
82 b
whitelisted
7748
msedge.exe
GET
304
150.171.27.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
7748
msedge.exe
GET
200
104.16.80.73:443
https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015
US
binary
19.4 Kb
unknown
7748
msedge.exe
GET
200
104.16.80.73:443
https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015
US
binary
19.4 Kb
unknown
7748
msedge.exe
GET
200
2.16.204.138:443
https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json
NL
665 Kb
whitelisted
7748
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
7748
msedge.exe
GET
200
13.107.213.44:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v1/GetGlobalConfig?EdgeChannel=stable&EdgeVersion=133.0.3065.92&ConfigVersion=0
US
text
393 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5516
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
8720
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.204.138:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7748
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7748
msedge.exe
52.123.224.69:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7748
msedge.exe
130.61.151.221:443
zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev
ORACLE-BMC-31898
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.16.204.138
  • 2.16.204.148
  • 2.16.204.161
  • 2.16.204.151
  • 2.16.204.156
  • 2.16.204.136
  • 2.16.204.135
  • 2.16.204.155
  • 2.16.204.150
  • 2.16.204.157
  • 2.16.241.218
  • 2.16.241.201
  • 2.16.241.207
  • 2.16.241.205
whitelisted
google.com
  • 142.251.208.14
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 52.123.224.69
  • 52.123.243.93
  • 52.123.243.200
whitelisted
zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev
  • 130.61.151.221
  • 141.147.2.8
unknown
api.edgeoffer.microsoft.com
  • 13.107.246.44
  • 13.107.213.44
whitelisted
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted
static.cloudflareinsights.com
  • 104.16.80.73
  • 104.16.79.73
whitelisted

Threats

PID
Process
Class
Message
5516
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2856
mshta.exe
Misc activity
ET INFO Observed UA-CPU Header
8720
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8720
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8020
HypeProfiler.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC connection established M1
8020
HypeProfiler.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound
8020
HypeProfiler.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame inbound
8020
HypeProfiler.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC connection established M2
8020
HypeProfiler.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC connection established M2
8020
HypeProfiler.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev/Verify-to-Continue-ID-rttpros-260301-4223.html