URL:

https://pub-dcbfb82482de46b69a1c89e9e398c6bb.r2.dev/Yxpasg93-.321.zip

Full analysis: https://app.any.run/tasks/3899c8ff-3700-4b63-828b-d3261913eea4
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: February 05, 2026, 02:44:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
possible-phishing
python
payload
silverfox
backdoor
valleyrat
rat
winos
qrcode
pyinstaller
arch-exec
themida
crypto-regex
Indicators:
MD5:

B0FA6A23ED04AA7F3ABB25AE7BDFE9AE

SHA1:

19768C1ED2450D689EDA1CF697C242723DAD0B97

SHA256:

169B59D79EF93EEC41DEB7A9A026BFA0143E8AD09683DFFC9237692554D8182E

SSDEEP:

3:N8UcQJRdORfdc5ACaG8dZfPLQSkV:2UcQJyVe5TaG8dZfzQSkV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • cmd.exe (PID: 888)

    • Changes Windows Defender settings

      • cmd.exe (PID: 888)
      • cmd.exe (PID: 8748)

    • Adds process to the Windows Defender exclusion list

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • cmd.exe (PID: 8748)

    • SILVERFOX has been detected (SURICATA)

      • rundll32.exe (PID: 7416)

    • VALLEYRAT has been detected

      • rundll32.exe (PID: 7416)

  • SUSPICIOUS

    • Possible Social Engineering Attempted

      • msedge.exe (PID: 756)

    • Process drops python dynamic module

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)

    • Executable content was dropped or overwritten

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • WavesSvc64.exe (PID: 5544)

    • Application launched itself

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)

    • Starts CMD.EXE for commands execution

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • The process drops C-runtime libraries

      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • WavesSvc64.exe (PID: 5544)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • Process drops legitimate windows executable

      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • WavesSvc64.exe (PID: 5544)

    • Loads Python modules

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 888)
      • cmd.exe (PID: 8748)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 888)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 8748)

    • Reads the BIOS version

      • WavesSvc64.exe (PID: 5544)
      • WavesSvc64.exe (PID: 6108)

    • The process executes via Task Scheduler

      • WavesSvc64.exe (PID: 6108)

    • Contacting a server suspected of hosting an CnC

      • rundll32.exe (PID: 7416)

    • Found regular expressions for crypto-addresses (YARA)

      • rundll32.exe (PID: 7416)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 676)
      • msedge.exe (PID: 2684)

    • Drops script file

      • msedge.exe (PID: 6952)
      • powershell.exe (PID: 8772)
      • powershell.exe (PID: 7324)
      • msedge.exe (PID: 8576)

    • Reads Environment values

      • identity_helper.exe (PID: 1136)

    • Reads the computer name

      • identity_helper.exe (PID: 1136)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • WavesSvc64.exe (PID: 5544)

    • Checks supported languages

      • identity_helper.exe (PID: 1136)
      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • WavesSvc64.exe (PID: 6108)
      • WavesSvc64.exe (PID: 5544)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2372)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • Create files in a temporary directory

      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)

    • The sample compiled with english language support

      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • WavesSvc64.exe (PID: 5544)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • There is functionality for taking screenshot (YARA)

      • Yxpasg93-.321.exe (PID: 8760)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • rundll32.exe (PID: 7416)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8772)
      • powershell.exe (PID: 7324)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8772)
      • powershell.exe (PID: 7324)

    • Checks proxy server information

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • slui.exe (PID: 3796)

    • Creates files or folders in the user directory

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • PyInstaller has been detected (YARA)

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2244)
      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)

    • The sample compiled with chinese language support

      • ¹È¸èÑéÖ¤Æ÷668.exe (PID: 2900)
      • WavesSvc64.exe (PID: 5544)

    • Process checks whether UAC notifications are on

      • WavesSvc64.exe (PID: 5544)
      • WavesSvc64.exe (PID: 6108)

    • Creates files in the program directory

      • WavesSvc64.exe (PID: 5544)
      • rundll32.exe (PID: 7416)

    • Reads the machine GUID from the registry

      • WavesSvc64.exe (PID: 5544)
      • WavesSvc64.exe (PID: 6108)

    • Themida protector has been detected

      • WavesSvc64.exe (PID: 6108)
      • WavesSvc64.exe (PID: 5544)

    • Manual execution by a user

      • WavesSvc64.exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
63
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs yxpasg93-.321.exe no specs yxpasg93-.321.exe ¹è¸èñéö¤æ÷668.exe ¹è¸èñéö¤æ÷668.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wavessvc64.exe msedge.exe no specs wavessvc64.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #SILVERFOX rundll32.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wavessvc64.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-features=HttpsUpgrades,HttpsFirstModeV2,HttpsOnlyMode,HttpsFirstBalancedMode --no-first-run --no-default-browser-check https://pub-dcbfb82482de46b69a1c89e9e398c6bb.r2.dev/Yxpasg93-.321.zipC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
756"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2380,i,17795470516175391702,7126342504022933623,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888C:\WINDOWS\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming""C:\Windows\System32\cmd.exe¹È¸èÑéÖ¤Æ÷668.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1136"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5796,i,17795470516175391702,7126342504022933623,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1672"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://chromewebstore.google.com/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=zh-cn&pli=1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1908\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2244C:\Users\admin\AppData\Local\Temp\¹È¸èÑéÖ¤Æ÷668.exeC:\Users\admin\AppData\Local\Temp\¹È¸èÑéÖ¤Æ÷668.exe
Yxpasg93-.321.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\¹è¸èñéö¤æ÷668.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2372"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Yxpasg93-.321.zip"C:\Program Files\WinRAR\WinRAR.exemsedge.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://chromewebstore.google.com/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=zh-cn&pli=1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe¹È¸èÑéÖ¤Æ÷668.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
21 039
Read events
21 016
Write events
21
Delete events
2

Modification events

(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Yxpasg93-.321.zip
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2372) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2900) ¹È¸èÑéÖ¤Æ÷668.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2900) ¹È¸èÑéÖ¤Æ÷668.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
86
Suspicious files
85
Text files
493
Unknown types
0

Dropped files

PID
Process
Filename
Type
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e4ddf.TMP
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e4def.TMP
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e4dfe.TMP
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1e4dfe.TMP
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1e4dfe.TMP
MD5:
SHA256:
676msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
153
TCP/UDP connections
99
DNS requests
102
Threats
35

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
756
msedge.exe
GET
104.18.54.45:443
https://pub-dcbfb82482de46b69a1c89e9e398c6bb.r2.dev/Yxpasg93-.321.zip
unknown
unknown
756
msedge.exe
GET
304
150.171.27.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
unknown
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
356
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
msedge.exe
GET
200
52.123.224.68:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=66&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1770259447&lafgdate=0
unknown
text
41.4 Kb
whitelisted
7564
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7564
svchost.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
756
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=arbitration_priority_list&version=24.*.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362
unknown
text
271 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7004
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
23.11.206.107:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7564
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
756
msedge.exe
52.123.224.68:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
756
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
756
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
th.bing.com
  • 23.11.206.107
  • 23.3.89.113
  • 23.11.206.98
whitelisted
www.bing.com
  • 23.11.206.107
  • 95.100.158.114
  • 23.11.206.98
  • 23.3.89.113
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
google.com
  • 142.250.185.174
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
  • 20.42.73.28
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 52.123.224.68
  • 52.123.224.66
  • 52.123.243.214
whitelisted
pub-dcbfb82482de46b69a1c89e9e398c6bb.r2.dev
  • 104.18.54.45
  • 104.18.50.34
unknown
api.edgeoffer.microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted

Threats

PID
Process
Class
Message
756
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
756
msedge.exe
Misc activity
ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI
756
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
756
msedge.exe
Misc activity
ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI
756
msedge.exe
Misc activity
ET INFO Observed DNS Query to Cloudflare R2 Public Bucket (r2 .dev) Domain
756
msedge.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
756
msedge.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
756
msedge.exe
Misc activity
ET INFO Observed DNS Query to Cloudflare R2 Public Bucket (r2 .dev) Domain
7564
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7416
rundll32.exe
A Network Trojan was detected
ET MALWARE Win32/ProcessKiller CnC Initialization M1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://pub-dcbfb82482de46b69a1c89e9e398c6bb.r2.dev/Yxpasg93-.321.zip