URL:

https://download.oxy.st/d/LLfi/2/5f23393a7da9f6bf9ebc96b7ba3ba9d8#

Full analysis: https://app.any.run/tasks/5f5ebd36-8ff9-407a-994a-3576a5fdbe28
Verdict: Malicious activity
Analysis date: October 09, 2024, 15:52:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MD5:

6FE7F77326D933886DC9F450D3F47363

SHA1:

C1CB90CDA65F7EADE5CF025947A093A82831AADA

SHA256:

36C592A453FB701DCD48B6364F089BEFC53CE0031816ED1D44C4EC8BA5941195

SSDEEP:

3:N8SElLigoLXK+sF/JGn:2SKegsXUI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cli_gui.exe (PID: 7952)
      • cmd.exe (PID: 7996)
      • explorer.exe (PID: 4616)

    • Application was injected by another process

      • lsass.exe (PID: 748)
      • dwm.exe (PID: 504)
      • winlogon.exe (PID: 668)
      • svchost.exe (PID: 1144)
      • svchost.exe (PID: 820)
      • svchost.exe (PID: 488)
      • svchost.exe (PID: 1264)
      • svchost.exe (PID: 1476)
      • svchost.exe (PID: 1488)
      • svchost.exe (PID: 1688)
      • svchost.exe (PID: 1680)
      • svchost.exe (PID: 1716)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 2336)
      • svchost.exe (PID: 1932)
      • svchost.exe (PID: 1860)
      • svchost.exe (PID: 1940)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2264)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 1132)
      • svchost.exe (PID: 1356)
      • svchost.exe (PID: 1412)
      • svchost.exe (PID: 1312)
      • svchost.exe (PID: 1512)
      • svchost.exe (PID: 2060)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 2404)
      • spoolsv.exe (PID: 2532)
      • svchost.exe (PID: 2352)
      • svchost.exe (PID: 2608)
      • svchost.exe (PID: 3032)
      • svchost.exe (PID: 2936)
      • svchost.exe (PID: 2700)
      • svchost.exe (PID: 2964)
      • svchost.exe (PID: 2948)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 3252)
      • svchost.exe (PID: 3068)
      • svchost.exe (PID: 3900)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2328)
      • svchost.exe (PID: 3088)
      • svchost.exe (PID: 2344)
      • OfficeClickToRun.exe (PID: 2972)
      • dasHost.exe (PID: 3936)
      • sihost.exe (PID: 3976)
      • svchost.exe (PID: 3752)
      • svchost.exe (PID: 4112)
      • svchost.exe (PID: 4020)
      • svchost.exe (PID: 4284)
      • svchost.exe (PID: 4540)
      • svchost.exe (PID: 4064)
      • svchost.exe (PID: 4320)
      • ctfmon.exe (PID: 4396)
      • svchost.exe (PID: 4800)
      • RuntimeBroker.exe (PID: 5052)
      • explorer.exe (PID: 4616)
      • dllhost.exe (PID: 5968)
      • dllhost.exe (PID: 5212)
      • RuntimeBroker.exe (PID: 5144)
      • svchost.exe (PID: 3688)
      • svchost.exe (PID: 4156)
      • svchost.exe (PID: 5656)
      • ApplicationFrameHost.exe (PID: 3856)
      • svchost.exe (PID: 1128)
      • svchost.exe (PID: 628)
      • svchost.exe (PID: 5000)
      • uhssvc.exe (PID: 1508)
      • MoUsoCoreWorker.exe (PID: 5488)
      • dllhost.exe (PID: 1092)
      • RuntimeBroker.exe (PID: 5864)
      • UserOOBEBroker.exe (PID: 736)
      • RuntimeBroker.exe (PID: 7208)
      • svchost.exe (PID: 6472)
      • svchost.exe (PID: 5064)
      • svchost.exe (PID: 2488)
      • svchost.exe (PID: 632)
      • svchost.exe (PID: 1740)
      • svchost.exe (PID: 5944)
      • svchost.exe (PID: 816)
      • svchost.exe (PID: 7960)
      • svchost.exe (PID: 8052)

    • Runs injected code in another process

      • dialer.exe (PID: 3104)

  • SUSPICIOUS

    • Hides command output

      • cmd.exe (PID: 7996)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7996)
      • explorer.exe (PID: 4616)

    • Starts CMD.EXE for commands execution

      • cli_gui.exe (PID: 7952)
      • explorer.exe (PID: 4616)

    • Executable content was dropped or overwritten

      • nonagon.exe (PID: 8380)
      • updater.exe (PID: 8056)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7996)
      • explorer.exe (PID: 4616)

    • Manipulates environment variables

      • powershell.exe (PID: 6000)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4080)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 6848)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5276)
      • msedge.exe (PID: 6292)

    • The process uses the downloaded file

      • iexplore.exe (PID: 4304)

    • Application launched itself

      • msedge.exe (PID: 8516)
      • msedge.exe (PID: 6292)

    • Manual execution by a user

      • nonagon.exe (PID: 8924)
      • nonagon.exe (PID: 8380)
      • powershell.exe (PID: 6000)
      • cmd.exe (PID: 4080)
      • dialer.exe (PID: 3104)
      • powershell.exe (PID: 3004)
      • cmd.exe (PID: 6848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
244
Monitored processes
190
Malicious processes
3
Suspicious processes
85

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs runtimebroker.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs nonagon.exe no specs nonagon.exe updater.exe cli_gui.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs svchost.exe cmd.exe no specs powershell.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs svchost.exe dwm.exe svchost.exe svchost.exe winlogon.exe useroobebroker.exe lsass.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe applicationframehost.exe svchost.exe dashost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe runtimebroker.exe dllhost.exe mousocoreworker.exe svchost.exe runtimebroker.exe svchost.exe dllhost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
488C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
504"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
628C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
632C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
668winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
736C:\Windows\System32\oobe\UserOOBEBroker.exe -EmbeddingC:\Windows\System32\oobe\UserOOBEBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
User OOBE Broker
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\oobe\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
748C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
816C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s UsoSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
820C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1092C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
71 683
Read events
70 801
Write events
605
Delete events
277

Modification events

(PID) Process:(4304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(4304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(4304) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6292) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6292) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6292) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6292) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
9
Suspicious files
246
Text files
105
Unknown types
5

Dropped files

PID
Process
Filename
Type
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF8b714.TMP
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF8b714.TMP
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF8b723.TMP
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF8b743.TMP
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:798EBA8558D3655BC5D2B61984B3BF12
SHA256:04EB76D36567C4FD801C5583AA34A18A081D9030BAE3034D8F81D419A797221D
6292msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF8b791.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
247
DNS requests
268
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7720
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7720
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
632
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1280
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5276
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6292
msedge.exe
239.255.255.250:1900
whitelisted
5276
msedge.exe
185.178.208.137:443
download.oxy.st
Ddos-guard Ltd
RU
unknown
5276
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
msedge.exe
13.107.246.60:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 216.58.212.142
whitelisted
download.oxy.st
  • 185.178.208.137
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
bzib.nelreports.net
  • 2.19.126.152
  • 2.19.126.145
whitelisted
www.bing.com
  • 2.23.209.135
  • 2.23.209.182
  • 2.23.209.189
  • 2.23.209.179
  • 2.23.209.183
  • 2.23.209.130
  • 2.23.209.143
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.144
  • 2.23.209.154
  • 2.23.209.148
  • 2.23.209.150
  • 2.23.209.149
whitelisted
check.ddos-guard.net
  • 185.129.100.100
whitelisted

Threats

PID
Process
Class
Message
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
5276
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.oxy.st/d/LLfi/2/5f23393a7da9f6bf9ebc96b7ba3ba9d8#