| File name: | clippy_1.3.0_x64_en-US.msi |
| Full analysis: | https://app.any.run/tasks/7c66b42c-7e63-4538-b677-4b287ae8f1ca |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | December 24, 2024, 05:58:34 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: clippy, Author: clippy, Keywords: Installer, Comments: This installer database contains the logic and data required to install clippy., Template: x64;0, Revision Number: {B8746D0E-D851-4CC3-B64C-E95452190D5B}, Create Time/Date: Tue Dec 24 03:36:42 2024, Last Saved Time/Date: Tue Dec 24 03:36:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2 |
| MD5: | 06D9C485E59F9AFF33FDDFB0F386279C |
| SHA1: | 84CA517FD6D1752124E1029A2C142C74CF58FA32 |
| SHA256: | 349774E037FE63ED026387A700E5C2362E041473E6AA465B30A0B3D996786F1B |
| SSDEEP: | 98304:dr3tGiN5yS7aQRg7Y9ZLJvjt2L7FYrsXTQP9s/Obf44wT4nyE8QWRwualeyQxRbx:uQLBc710bPMKXObeOlD49e0h+k3kmnu |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 2448)
Changes the autorun value in the registry
- MicrosoftEdgeUpdate.exe (PID: 6076)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 5156)
Starts process via Powershell
- powershell.exe (PID: 2448)
Starts POWERSHELL.EXE for commands execution
- msiexec.exe (PID: 3732)
Downloads file from URI via Powershell
- powershell.exe (PID: 2448)
The process bypasses the loading of PowerShell profile settings
- msiexec.exe (PID: 3732)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 3732)
Manipulates environment variables
- powershell.exe (PID: 2448)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 2448)
Executable content was dropped or overwritten
- powershell.exe (PID: 2448)
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
- MicrosoftEdgeUpdate.exe (PID: 6076)
Process drops legitimate windows executable
- powershell.exe (PID: 2448)
- MicrosoftEdgeUpdate.exe (PID: 6076)
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
Starts a Microsoft application from unusual location
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
- MicrosoftEdgeUpdate.exe (PID: 6076)
Creates/Modifies COM task schedule object
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1412)
- MicrosoftEdgeUpdate.exe (PID: 364)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3608)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5740)
Reads security settings of Internet Explorer
- MicrosoftEdgeUpdate.exe (PID: 6076)
Starts itself from another location
- MicrosoftEdgeUpdate.exe (PID: 6076)
Potential Corporate Privacy Violation
- svchost.exe (PID: 4036)
INFO
An automatically generated document
- msiexec.exe (PID: 3772)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3772)
- msiexec.exe (PID: 3732)
Reads the computer name
- msiexec.exe (PID: 3732)
- msiexec.exe (PID: 2672)
- MicrosoftEdgeUpdate.exe (PID: 6076)
- MicrosoftEdgeUpdate.exe (PID: 364)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1412)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5740)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3608)
- MicrosoftEdgeUpdate.exe (PID: 3848)
- MicrosoftEdgeUpdate.exe (PID: 3464)
- MicrosoftEdgeUpdate.exe (PID: 4360)
Checks supported languages
- msiexec.exe (PID: 3732)
- msiexec.exe (PID: 2672)
- MicrosoftEdgeUpdate.exe (PID: 6076)
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1412)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3608)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5740)
- MicrosoftEdgeUpdate.exe (PID: 3848)
- MicrosoftEdgeUpdate.exe (PID: 364)
- MicrosoftEdgeUpdate.exe (PID: 3464)
- MicrosoftEdgeUpdate.exe (PID: 4360)
Manages system restore points
- SrTasks.exe (PID: 5836)
Creates a software uninstall entry
- msiexec.exe (PID: 3732)
Disables trace logs
- powershell.exe (PID: 2448)
Checks proxy server information
- powershell.exe (PID: 2448)
- MicrosoftEdgeUpdate.exe (PID: 3848)
- MicrosoftEdgeUpdate.exe (PID: 4360)
The executable file from the user directory is run by the Powershell process
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
The sample compiled with english language support
- powershell.exe (PID: 2448)
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
- MicrosoftEdgeUpdate.exe (PID: 6076)
Create files in a temporary directory
- MicrosoftEdgeWebview2Setup.exe (PID: 2976)
- svchost.exe (PID: 4036)
Creates files or folders in the user directory
- MicrosoftEdgeUpdate.exe (PID: 6076)
Process checks computer location settings
- MicrosoftEdgeUpdate.exe (PID: 6076)
Reads Environment values
- MicrosoftEdgeUpdate.exe (PID: 3848)
Reads the software policy settings
- MicrosoftEdgeUpdate.exe (PID: 3848)
- MicrosoftEdgeUpdate.exe (PID: 4360)
Reads the machine GUID from the registry
- MicrosoftEdgeUpdate.exe (PID: 3848)
- MicrosoftEdgeUpdate.exe (PID: 4360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | clippy |
| Author: | clippy |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install clippy. |
| Template: | x64;0 |
| RevisionNumber: | {B8746D0E-D851-4CC3-B64C-E95452190D5B} |
| CreateDate: | 2024:12:24 03:36:42 |
| ModifyDate: | 2024:12:24 03:36:42 |
| Pages: | 450 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.14.1.8722) |
| Security: | Read-only recommended |
Total processes
137
Monitored processes
18
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 364 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.43 Modules
| |||||||||||||||
| 1412 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update COM Registration Helper Exit code: 0 Version: 1.3.195.43 Modules
| |||||||||||||||
| 2448 | powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2672 | C:\Windows\syswow64\MsiExec.exe -Embedding 96F5C97421B3C55BD11166D7C635578F C | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2976 | "C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install | C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Setup Version: 1.3.195.43 Modules
| |||||||||||||||
| 3464 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{4C465966-3568-40A9-A76C-FC4A0191E0FE}" /silent | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Version: 1.3.195.43 Modules
| |||||||||||||||
| 3608 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update COM Registration Helper Exit code: 0 Version: 1.3.195.43 Modules
| |||||||||||||||
| 3732 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3772 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\clippy_1.3.0_x64_en-US.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3848 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7NEM0NjU5NjYtMzU2OC00MEE5LUE3NkMtRkM0QTAxOTFFMEZFfSIgdXNlcmlkPSJ7RTBFQzJFOTAtMTMxNS00NDlDLTlGRDQtMUJDNEVFMkY5MkIxfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1MEExNTUwMi1GRUZELTQyMEYtQkZDMS1CM0Y5MTBCRDE0NUZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM2MzI4MDcyNTAiIGluc3RhbGxfdGltZV9tcz0iODc1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.43 Modules
| |||||||||||||||
Total events
19 344
Read events
17 213
Write events
2 088
Delete events
43
Modification events
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 480000000000000056622703C955DB01940E0000640D0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000056622703C955DB01940E0000640D0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000AC957F03C955DB01940E0000640D0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000AC957F03C955DB01940E0000640D0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000D7C38603C955DB01940E0000640D0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000F9F98103C955DB01940E0000640D0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3732) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000BE222404C955DB01940E0000640D0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5156) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000CFF03B04C955DB0124140000E8100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5156) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000CFF03B04C955DB012414000084000000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5156) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000CFF03B04C955DB0124140000D8150000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
204
Suspicious files
13
Text files
6
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3732 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3732 | msiexec.exe | C:\Windows\Installer\1482da.msi | — | |
MD5:— | SHA256:— | |||
| 3732 | msiexec.exe | C:\Windows\Installer\1482dc.msi | — | |
MD5:— | SHA256:— | |||
| 3732 | msiexec.exe | C:\Windows\Temp\~DFF10BFDB4372CA5F8.TMP | binary | |
MD5:71B36D40B5C83E49A891BBC3E17949F7 | SHA256:C061F5800E9B3540CF897D87D838683702554C2528A70D3AF171CCFCAACC2259 | |||
| 3732 | msiexec.exe | C:\Windows\Temp\~DF84B119405DCAA476.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 3732 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:2650B777129E09687C0433FD905331EF | SHA256:49542F9BC182E8D7EF007AA37D5FAB0E43ECB5510A02E2831D50C7A20C08534E | |||
| 3732 | msiexec.exe | C:\Windows\Installer\MSI8904.tmp | binary | |
MD5:E4EDEF553D6E0B12C24281A62834ED61 | SHA256:34B9F9EC2446C31C4C2322C4FBAB32F2BEAE6581BD87187FBA8EC9E0F1959D91 | |||
| 3732 | msiexec.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\clippy\clippy.lnk~RF148b85.TMP | binary | |
MD5:BCA6E4C42A9B941E17A9E028F471DEF4 | SHA256:9D12527AE4B31A28A23058EF4851AB60AB53451E8CD59B8D11D978BD6DF0F03D | |||
| 3732 | msiexec.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\clippy\clippy.lnk | binary | |
MD5:BCA6E4C42A9B941E17A9E028F471DEF4 | SHA256:9D12527AE4B31A28A23058EF4851AB60AB53451E8CD59B8D11D978BD6DF0F03D | |||
| 3732 | msiexec.exe | C:\Windows\Installer\{379F445E-8989-4707-A5D2-28845B164C6B}\ProductIcon | image | |
MD5:4BB5768EEC028C2663CA9F0C75788CE8 | SHA256:A0671FC8C591D8FAFA6BCE1114144E2A442EEB21CA9AEB085E0F624BA56777A4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
24
DNS requests
13
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2420 | svchost.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5340 | RUXIMICS.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2420 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4036 | svchost.exe | HEAD | 200 | 217.20.57.19:80 | http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735624820&P2=404&P3=2&P4=i4rhOUnxK%2fBjh3zQoNoRIi3EH5sS1g%2b1Kva0utAFFoYDBMNZHIDKnZPqVkN4XaUqz2BKLdPuFYxF1mbb%2bOW4LA%3d%3d | unknown | — | — | whitelisted |
4036 | svchost.exe | GET | — | 217.20.57.19:80 | http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735624820&P2=404&P3=2&P4=i4rhOUnxK%2fBjh3zQoNoRIi3EH5sS1g%2b1Kva0utAFFoYDBMNZHIDKnZPqVkN4XaUqz2BKLdPuFYxF1mbb%2bOW4LA%3d%3d | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.48.23.55:443 | https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/c1336fd6-a2eb-4669-9b03-949fc70ace0e/MicrosoftEdgeWebview2Setup.exe | unknown | executable | 1.58 Mb | whitelisted |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.43?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.43&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.43&requestOmahaVersion=1.3.195.43 | unknown | binary | 484 b | whitelisted |
— | — | POST | 200 | 4.175.87.113:443 | https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates | unknown | ini | 104 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5340 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.49:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2420 | svchost.exe | 2.16.164.49:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5340 | RUXIMICS.exe | 2.16.164.49:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2420 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3976 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
msedge.sf.dl.delivery.mp.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
msedge.api.cdp.microsoft.com |
| whitelisted |
msedge.f.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4036 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |