URL:

ru.files.fm/u/y39aztga9y

Full analysis: https://app.any.run/tasks/7bbb7242-70ea-48f3-9e2f-e7cf8ab5f74c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 25, 2025, 18:59:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
windivert-sys
mal-driver
loader
anti-evasion
stealer
Indicators:
MD5:

DA2D71583BB8C97285F4F9A6B9D8D1E0

SHA1:

E17FF6577174A3870CD407FEB1E88D9B27197EBB

SHA256:

1E35FFCAD85EF9BCCBD1002E8F76AEB0D7FCC7F45306D1A1DD6957D6A4B4289A

SSDEEP:

3:NJz4L6RCEcc:bzw6kEcc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 7536)
    • Malicious driver has been detected

      • WinRAR.exe (PID: 7536)
    • Changes powershell execution policy (Bypass)

      • Start.exe (PID: 464)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1264)
    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1264)
    • Known privilege escalation attack

      • dllhost.exe (PID: 4628)
    • Adds path to the Windows Defender exclusion list

      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Actions looks like stealing of personal data

      • nbgtpasrg.exe (PID: 5080)
    • Changes Windows Defender settings

      • FolderBP.exe (PID: 8640)
      • FolderBP.exe (PID: 8984)
  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7536)
    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 7536)
    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 7536)
      • powershell.exe (PID: 1264)
    • Executable content was dropped or overwritten

      • Start.exe (PID: 464)
      • csc.exe (PID: 2956)
      • powershell.exe (PID: 1264)
    • Reads security settings of Internet Explorer

      • Start.exe (PID: 464)
      • nbgtpasrg.exe (PID: 5080)
      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Connects to unusual port

      • Start.exe (PID: 464)
      • nbgtpasrg.exe (PID: 5080)
      • dllhost.exe (PID: 5348)
    • Potential Corporate Privacy Violation

      • Start.exe (PID: 464)
    • Starts POWERSHELL.EXE for commands execution

      • Start.exe (PID: 464)
      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1264)
    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1264)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2956)
    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 1264)
    • The process checks if it is being run in the virtual environment

      • nbgtpasrg.exe (PID: 5080)
    • Reads the date of Windows installation

      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • powershell.exe (PID: 1264)
    • Script adds exclusion path to Windows Defender

      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Loads DLL from Mozilla Firefox

      • nbgtpasrg.exe (PID: 5080)
    • Searches for installed software

      • nbgtpasrg.exe (PID: 5080)
  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 9092)
      • Start.exe (PID: 464)
      • nbgtpasrg.exe (PID: 5080)
      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Application launched itself

      • msedge.exe (PID: 7864)
      • chrome.exe (PID: 5232)
    • Manual execution by a user

      • WinRAR.exe (PID: 7328)
      • WinRAR.exe (PID: 7536)
      • Start.exe (PID: 464)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7536)
    • The sample compiled with english language support

      • WinRAR.exe (PID: 7536)
    • Reads Environment values

      • identity_helper.exe (PID: 9092)
    • Checks supported languages

      • identity_helper.exe (PID: 9092)
      • Start.exe (PID: 464)
      • nbgtpasrg.exe (PID: 5080)
      • csc.exe (PID: 2956)
      • FolderBP.exe (PID: 8984)
      • cvtres.exe (PID: 5256)
      • FolderBP.exe (PID: 8640)
      • wmpshare.exe (PID: 2524)
    • Checks proxy server information

      • Start.exe (PID: 464)
      • nbgtpasrg.exe (PID: 5080)
      • slui.exe (PID: 3532)
    • Creates files or folders in the user directory

      • Start.exe (PID: 464)
      • nbgtpasrg.exe (PID: 5080)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1264)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 1264)
    • Create files in a temporary directory

      • csc.exe (PID: 2956)
      • cvtres.exe (PID: 5256)
      • nbgtpasrg.exe (PID: 5080)
    • Reads the machine GUID from the registry

      • csc.exe (PID: 2956)
      • wmpshare.exe (PID: 2524)
      • nbgtpasrg.exe (PID: 5080)
    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 4736)
      • cmstp.exe (PID: 7544)
    • Creates files in the program directory

      • dllhost.exe (PID: 4628)
    • Process checks computer location settings

      • FolderBP.exe (PID: 8984)
      • FolderBP.exe (PID: 8640)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 4412)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 4412)
    • Disables trace logs

      • cmstp.exe (PID: 7544)
      • cmstp.exe (PID: 4736)
    • Reads CPU info

      • nbgtpasrg.exe (PID: 5080)
    • Process checks whether UAC notifications are on

      • nbgtpasrg.exe (PID: 5080)
    • Reads the software policy settings

      • slui.exe (PID: 3532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
71
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
464"C:\Users\admin\Desktop\Start.exe" C:\Users\admin\Desktop\Start.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\start.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netutils.dll
896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exenbgtpasrg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
27768
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1264powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Start.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1500\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3724,i,11933039753254028452,7465260840935607587,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2524"C:\Program Files\Windows Media Player\wmpshare.exe"C:\Program Files\Windows Media Player\wmpshare.exe
nbgtpasrg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Folder Sharing Executable
Version:
12.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows media player\wmpshare.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2956"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\4oqewqt0.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
3068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5416,i,13276775389807037054,16456987834408225235,262144 --variations-seed-version --mojo-platform-channel-handle=7776 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3532C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenbgtpasrg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
25 233
Read events
25 192
Write events
41
Delete events
0

Modification events

(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Nursultan.rar
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
108
Suspicious files
376
Text files
103
Unknown types
1

Dropped files

PID
Process
Filename
Type
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFfb453.TMP
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfb462.TMP
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfb462.TMP
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFfb472.TMP
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFfb472.TMP
MD5:
SHA256:
7864msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
192
DNS requests
136
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7208
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:lWTpxvwEbewxqp1w7CJ0l4Sw6_tKbbG18MSkq5xajoM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
99 b
whitelisted
6256
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
7088
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
314 b
whitelisted
6044
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
DE
binary
471 b
whitelisted
5896
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
DE
binary
471 b
whitelisted
4736
SIHClient.exe
GET
200
2.20.154.94:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
ZA
binary
813 b
whitelisted
4736
SIHClient.exe
GET
200
2.20.154.94:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
ZA
binary
402 b
whitelisted
464
Start.exe
GET
200
176.46.152.62:5858
http://176.46.152.62:5858/ea42a48f3cf84d16bcbc36d9a349dbac_crypted_build.exe
IR
executable
122 Kb
malicious
5732
svchost.exe
GET
206
217.195.193.60:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ddbf4492-d475-4fe4-bcde-6cbac56f6034?P1=1761684739&P2=404&P3=2&P4=SKHlMT%2fvIAAv%2bs%2bnJrAGG%2b9Id9K7Ll3fb80f47O8xW%2bNfJKxtbZ0IMeP2P6o8rYykpCND2Au2AdHxcSoGtLuyA%3d%3d
LU
binary
1.09 Kb
whitelisted
5732
svchost.exe
HEAD
200
217.195.193.60:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ddbf4492-d475-4fe4-bcde-6cbac56f6034?P1=1761684739&P2=404&P3=2&P4=SKHlMT%2fvIAAv%2bs%2bnJrAGG%2b9Id9K7Ll3fb80f47O8xW%2bNfJKxtbZ0IMeP2P6o8rYykpCND2Au2AdHxcSoGtLuyA%3d%3d
LU
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7012
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7088
SearchApp.exe
2.16.106.196:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5596
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6256
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7208
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7208
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7208
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7208
msedge.exe
2.16.106.219:443
copilot.microsoft.com
Akamai International B.V.
DE
whitelisted
7208
msedge.exe
172.67.75.107:443
ru.files.fm
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.16.106.196
  • 2.16.106.207
  • 2.16.106.200
whitelisted
login.live.com
  • 20.190.160.2
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.4
  • 20.190.160.22
  • 20.190.160.64
  • 40.126.32.138
whitelisted
google.com
  • 142.250.184.206
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
ru.files.fm
  • 172.67.75.107
  • 104.26.1.31
  • 104.26.0.31
unknown
copilot.microsoft.com
  • 2.16.106.219
  • 2.16.106.218
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.googletagmanager.com
  • 142.250.185.168
whitelisted

Threats

PID
Process
Class
Message
7208
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7208
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7208
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
464
Start.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
464
Start.exe
Misc activity
ET INFO Observed UA-CPU Header
464
Start.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
464
Start.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
464
Start.exe
Misc activity
ET INFO EXE - Served Attached HTTP
464
Start.exe
Misc activity
ET INFO Packed Executable Download
464
Start.exe
A Network Trojan was detected
ET HUNTING HTTP Response Containing Base64-Encoded Powershell Payload Keywords
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrE61C.tmp directory exists )