URL:

https://www.bing.com/ck/a?!&&p=02dcbf60a86befa115d3f0aa174e9aed7b11ea23f7602c7f798815c0032b109fJmltdHM9MTc3NTUyMDAwMA&ptn=3&ver=2&hsh=4&fclid=095ff55c-a518-6e83-1362-e270a40f6f99&u=a1aHR0cHM6Ly9vbGxhbWEuZ3IuY29tLw

Full analysis: https://app.any.run/tasks/592f26ac-74c8-4361-844c-0f4011763cfc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 07, 2026, 16:52:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
github
susp-powershell
anti-evasion
delphi
inno
installer
Indicators:
MD5:

759422B8CED9D60119E80DE50A91C7B2

SHA1:

3F08CA37A56FFFC80D475127A25761A2A0BC2BAC

SHA256:

28795DF8BFF7BFC5FAFD2E92C6CA74DDADEA8D7500319A86D2FA975F4AEB50F6

SSDEEP:

3:N8DSLsROf1KGvuhzCBWJlEAQBCT8cBjsEflRlLtPdjXIAXzRpkcDWUtOPLZQ8Xg8:2OLsR7GvCzVJeMXtFlcANKyW1ul8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loader pattern has been found

      • powershell.exe (PID: 6684)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

      • powershell.exe (PID: 6684)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Executing a file with an untrusted certificate

      • OllamaSetup.exe (PID: 7572)

    • Changes settings of System certificates

      • powershell.exe (PID: 8732)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 8732)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 8732)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 6684)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8400)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Enumerates operating system information (Win32_OperatingSystem) (SCRIPT)

      • powershell.exe (PID: 6684)

    • Adds/modifies Windows certificates

      • powershell.exe (PID: 8732)

    • Reads the Windows owner or organization settings

      • OllamaSetup.tmp (PID: 5604)

    • Uses TASKKILL.EXE to kill process

      • OllamaSetup.tmp (PID: 5604)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 7456)

    • Reads the computer name

      • identity_helper.exe (PID: 7456)
      • OllamaSetup.tmp (PID: 5604)
      • OllamaSetup.exe (PID: 7572)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 8732)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 8400)

    • Create files in a temporary directory

      • csc.exe (PID: 8400)
      • cvtres.exe (PID: 6732)
      • OllamaSetup.exe (PID: 7572)
      • OllamaSetup.tmp (PID: 5604)

    • Checks supported languages

      • cvtres.exe (PID: 6732)
      • csc.exe (PID: 8400)
      • OllamaSetup.exe (PID: 7572)
      • identity_helper.exe (PID: 7456)
      • OllamaSetup.tmp (PID: 5604)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 8732)

    • Application launched itself

      • msedge.exe (PID: 7704)

    • Manual execution by a user

      • powershell.exe (PID: 8732)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Reads Windows Product ID

      • powershell.exe (PID: 6684)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6684)

    • Creates files or folders in the user directory

      • OllamaSetup.tmp (PID: 5604)

    • Detects InnoSetup installer (YARA)

      • OllamaSetup.exe (PID: 7572)
      • OllamaSetup.tmp (PID: 5604)

    • Compiled with Borland Delphi (YARA)

      • OllamaSetup.tmp (PID: 5604)
      • OllamaSetup.exe (PID: 7572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
53
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs csc.exe no specs cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ollamasetup.exe no specs ollamasetup.tmp no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1788"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6380,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6040,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=1568 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5812,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
2364"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffe2392f208,0x7ffe2392f214,0x7ffe2392f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2648"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4896,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2680"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2332,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3048"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=7748,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3692"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=8092,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=796 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4240"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3620,i,16832374878273787785,1699766175818279765,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
19 097
Read events
19 093
Write events
2
Delete events
2

Modification events

(PID) Process:(8732) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:843573112A3B319344E5E4ECABC9F26C7CD54D07
Value:
(PID) Process:(8732) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\843573112A3B319344E5E4ECABC9F26C7CD54D07
Operation:writeName:Blob
Value:
040000000100000010000000DDB43009E8671F45A080EC9DD9B1A1540F0000000100000030000000DC46DAE6B3DEA632D43FF865E776B5C37AB90B50A168BFBB3A66EBCA668923483159D0B275108AC1E2FEDEDB599CA996030000000100000014000000843573112A3B319344E5E4ECABC9F26C7CD54D071D000000010000001000000027956E62A57CF219F2447A9340EDFCA2140000000100000014000000F08C9871393865C23A1BA617661DC8ED65DE9236090000000100000016000000301406082B0601050507030306082B0601050507030853000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C062000000010000002000000026C56AD2208D1E9B152F66853BF4797CBEB7552C1F3F477251E8CB1AE7E797BF0B000000010000003A00000044006900670069004300650072007400200043005300200045004300430020005000330038003400200052006F006F0074002000470035000000190000000100000010000000D0AC2D0FC7CC75A460A3DC9B893FB4CC20000000010000001A020000308202163082019DA003020102021003698FE712D519F3CED0FDB7B1643011300A06082A8648CE3D040303304D310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E312530230603550403131C446967694365727420435320454343205033383420526F6F74204735301E170D3231303131353030303030305A170D3436303131343233353935395A304D310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E312530230603550403131C446967694365727420435320454343205033383420526F6F742047353076301006072A8648CE3D020106052B81040022036200047F14AD85B697FD0221354D60E83893939B3D05106DAFD3FEEFFABBFB7399F3EC32128DC768B88BDE89A28854778DBB217E3395569609E8D58CA104B89B6E190062E84228A65837841955267B333767F29A72ADA1AEAE00423C1C7EB87A9E219CA3423040301D0603551D0E04160414F08C9871393865C23A1BA617661DC8ED65DE9236300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF300A06082A8648CE3D04030303670030640230236FE100192650E44620658B37A7CFEB06E1CC32C92AA1EC320D73A21E021C35612A4E69AB3977ED9788C07D6BEA89DD023043F1D158A3753E869BB655118B17F73DFE0A69C57F4EC6751B5A94CBEA1111C6082288DED07AA2A579E8E321A7CD13B3
(PID) Process:(8732) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\843573112A3B319344E5E4ECABC9F26C7CD54D07
Operation:writeName:Blob
Value:
5C000000010000000400000080010000190000000100000010000000D0AC2D0FC7CC75A460A3DC9B893FB4CC0B000000010000003A00000044006900670069004300650072007400200043005300200045004300430020005000330038003400200052006F006F007400200047003500000062000000010000002000000026C56AD2208D1E9B152F66853BF4797CBEB7552C1F3F477251E8CB1AE7E797BF53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C0090000000100000016000000301406082B0601050507030306082B06010505070308140000000100000014000000F08C9871393865C23A1BA617661DC8ED65DE92361D000000010000001000000027956E62A57CF219F2447A9340EDFCA2030000000100000014000000843573112A3B319344E5E4ECABC9F26C7CD54D070F0000000100000030000000DC46DAE6B3DEA632D43FF865E776B5C37AB90B50A168BFBB3A66EBCA668923483159D0B275108AC1E2FEDEDB599CA996040000000100000010000000DDB43009E8671F45A080EC9DD9B1A15420000000010000001A020000308202163082019DA003020102021003698FE712D519F3CED0FDB7B1643011300A06082A8648CE3D040303304D310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E312530230603550403131C446967694365727420435320454343205033383420526F6F74204735301E170D3231303131353030303030305A170D3436303131343233353935395A304D310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E312530230603550403131C446967694365727420435320454343205033383420526F6F742047353076301006072A8648CE3D020106052B81040022036200047F14AD85B697FD0221354D60E83893939B3D05106DAFD3FEEFFABBFB7399F3EC32128DC768B88BDE89A28854778DBB217E3395569609E8D58CA104B89B6E190062E84228A65837841955267B333767F29A72ADA1AEAE00423C1C7EB87A9E219CA3423040301D0603551D0E04160414F08C9871393865C23A1BA617661DC8ED65DE9236300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF300A06082A8648CE3D04030303670030640230236FE100192650E44620658B37A7CFEB06E1CC32C92AA1EC320D73A21E021C35612A4E69AB3977ED9788C07D6BEA89DD023043F1D158A3753E869BB655118B17F73DFE0A69C57F4EC6751B5A94CBEA1111C6082288DED07AA2A579E8E321A7CD13B3
Executable files
37
Suspicious files
230
Text files
268
Unknown types
1 745

Dropped files

PID
Process
Filename
Type
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdffad.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFdffad.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFdffbd.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdffbd.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdffad.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
786
TCP/UDP connections
116
DNS requests
141
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2680
msedge.exe
GET
302
2.16.241.222:443
https://www.bing.com/ck/a?!&&p=02dcbf60a86befa115d3f0aa174e9aed7b11ea23f7602c7f798815c0032b109fJmltdHM9MTc3NTUyMDAwMA&ptn=3&ver=2&hsh=4&fclid=095ff55c-a518-6e83-1362-e270a40f6f99&u=a1aHR0cHM6Ly9vbGxhbWEuZ3IuY29tLw
NL
whitelisted
2680
msedge.exe
GET
404
193.233.22.175:443
https://ollama.gr.com/
NL
unknown
2680
msedge.exe
GET
304
150.171.28.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
2680
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
binary
446 b
whitelisted
2680
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:4kxhfdtXHR59k1DUzbrFEBYVZ41sQBoSm1Y3wMF6ya8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
binary
101 b
whitelisted
2680
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/autofillservice/core/page/6798788017071867059/6848141677467911329?CIdAlgoVersion=2
US
text
20 b
whitelisted
2680
msedge.exe
GET
200
104.18.23.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
2680
msedge.exe
GET
200
13.107.226.44:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
2680
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=edge_hub_apps_manifest_gz&version=4.11.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362
US
text
266 b
whitelisted
2680
msedge.exe
GET
200
52.123.224.71:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
binary
4.42 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8044
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.222:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
128.24.231.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2680
msedge.exe
52.123.224.71:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2680
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2680
msedge.exe
2.16.241.222:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.16.241.222
  • 2.16.241.205
  • 2.16.241.207
  • 2.16.241.218
  • 2.16.241.216
  • 2.16.204.155
  • 2.16.204.149
  • 2.16.204.151
  • 2.16.204.146
  • 2.16.204.143
  • 2.16.204.144
  • 2.16.204.152
  • 2.16.204.141
  • 2.16.204.153
  • 2.16.204.142
  • 2.16.204.148
  • 2.16.204.145
  • 2.16.204.156
  • 2.16.204.157
  • 2.16.204.158
  • 2.16.204.138
  • 2.16.204.134
  • 2.16.204.160
  • 2.16.204.135
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.65
  • 48.192.1.65
whitelisted
google.com
  • 142.251.110.100
  • 142.251.110.138
  • 142.251.110.102
  • 142.251.110.139
  • 142.251.110.101
  • 142.251.110.113
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 52.123.224.71
  • 52.123.243.87
  • 52.123.243.204
  • 52.123.243.220
  • 52.123.243.200
  • 52.123.243.78
  • 52.123.224.69
  • 52.123.243.203
whitelisted
api.edgeoffer.microsoft.com
  • 13.107.226.44
  • 13.107.253.44
whitelisted
copilot.microsoft.com
  • 104.18.23.222
  • 104.18.22.222
whitelisted
ollama.gr.com
  • 193.233.22.175
unknown
update.googleapis.com
  • 192.178.183.94
whitelisted

Threats

PID
Process
Class
Message
2680
msedge.exe
Potentially Bad Traffic
ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)
2680
msedge.exe
Potentially Bad Traffic
ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access release user assets on GitHub
6684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8732
powershell.exe
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
8732
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.bing.com/ck/a?!&&p=02dcbf60a86befa115d3f0aa174e9aed7b11ea23f7602c7f798815c0032b109fJmltdHM9MTc3NTUyMDAwMA&ptn=3&ver=2&hsh=4&fclid=095ff55c-a518-6e83-1362-e270a40f6f99&u=a1aHR0cHM6Ly9vbGxhbWEuZ3IuY29tLw