File name:

enbar.txt

Full analysis: https://app.any.run/tasks/1f22dddb-a6a6-4140-b344-27a441e73846
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 03, 2025, 19:28:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1310)
MD5:

E7D2FC5EBC2E4D054B78E9A9B5514ACD

SHA1:

CA66826801BC6FA4D57954FD9D45D03EFE04A281

SHA256:

3B887A0013ED5EB6E130351ABE39F58E66284C1799A266183DEE1FCC353B430C

SSDEEP:

24576:vEe3EXnZEXxKNEcXYdWcg7HWdW83W8iW80tZW80tik:XYPqCh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6360)
      • powershell.exe (PID: 4444)
      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 6588)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 3220)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6668)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6588)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3220)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 6660)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 6660)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6588)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6588)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 4724)

  • INFO

    • Manual execution by a user

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 6660)
      • powershell.exe (PID: 3664)
      • powershell_ise.exe (PID: 5028)
      • powershell.exe (PID: 4444)
      • powershell_ise.exe (PID: 3060)
      • powershell.exe (PID: 6484)
      • powershell_ise.exe (PID: 4388)
      • powershell.exe (PID: 6588)
      • powershell_ise.exe (PID: 5392)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 5064)

    • The process uses the downloaded file

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 6660)
      • powershell.exe (PID: 3664)
      • powershell_ise.exe (PID: 5028)
      • powershell_ise.exe (PID: 3060)
      • powershell_ise.exe (PID: 4388)
      • powershell_ise.exe (PID: 5392)

    • Checks supported languages

      • SearchApp.exe (PID: 5064)

    • Process checks computer location settings

      • SearchApp.exe (PID: 5064)

    • Reads the software policy settings

      • SearchApp.exe (PID: 5064)
      • powershell_ise.exe (PID: 5028)
      • powershell_ise.exe (PID: 4388)
      • powershell_ise.exe (PID: 5392)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 6660)
      • powershell.exe (PID: 4444)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 6660)
      • powershell.exe (PID: 3664)
      • powershell_ise.exe (PID: 5028)
      • powershell_ise.exe (PID: 3060)
      • powershell_ise.exe (PID: 5392)

    • Reads security settings of Internet Explorer

      • powershell_ise.exe (PID: 5028)
      • powershell_ise.exe (PID: 4388)
      • powershell_ise.exe (PID: 3060)
      • powershell_ise.exe (PID: 5392)

    • Create files in a temporary directory

      • powershell_ise.exe (PID: 5028)
      • powershell_ise.exe (PID: 3060)
      • powershell_ise.exe (PID: 4388)
      • powershell_ise.exe (PID: 5392)

    • Checks proxy server information

      • powershell_ise.exe (PID: 5028)

    • Creates files or folders in the user directory

      • powershell_ise.exe (PID: 5028)
      • powershell_ise.exe (PID: 3060)
      • powershell_ise.exe (PID: 4388)
      • powershell_ise.exe (PID: 5392)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
23
Malicious processes
1
Suspicious processes
6

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell_ise.exe powershell.exe no specs conhost.exe no specs powershell_ise.exe no specs powershell_ise.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell_ise.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
2092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3052"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3060"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\Desktop\a.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3220"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
3576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3664"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4388"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\Desktop\a.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4444"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass "C:\Users\admin\Desktop\a.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4724"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -nop -CommandC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294770688
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
79 438
Read events
79 301
Write events
133
Delete events
4

Modification events

(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:IsMSACloudSearchEnabled
Value:
0
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:IsAADCloudSearchEnabled
Value:
0
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:CortanaStateLastRun
Value:
AA3A786700000000
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:delete valueName:CachedFeatureString
Value:
(PID) Process:(5064) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\A1hdl50UVDh2ZbG324Nx-6fZgntcGnHOs5kHLdmaJYE\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Recognizers
Operation:writeName:DefaultTokenId
Value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN
(PID) Process:(5064) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
51825
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:SafeSearchMode
Value:
1
(PID) Process:(5064) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
51223
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:writeName:CachedFeatureString
Value:
(PID) Process:(5064) SearchApp.exeKey:\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState
Operation:writeName:BINGIDENTITY_PROP_USEREMAIL
Value:
0000E7721AD9155EDB01
Executable files
0
Suspicious files
83
Text files
258
Unknown types
0

Dropped files

PID
Process
Filename
Type
6360powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rvny3tml.5bn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:732FF9EA85D5400B0F124C52C835CBE5
SHA256:C5DE0D43B1B75991AE89E411246BC38F0B4B14930177DED0752E00217774B960
6360powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mdx4y25q.1zo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6360powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:121B9E7DEC60DE63616F1160EE4AF14A
SHA256:7F8296E636915D7CDD78F986EA172CBC5F90850289F96866DB231EEBA67FD21A
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\Swi4yFavETfuSZ9mHxnUvb4UdTw[1].jss
MD5:B2C3CBF8A1D940D6C83D59A67486675C
SHA256:08EA9109346E9018ED50567503D2C141F7A84CFDE80EB25E97FDDCFE270BAA67
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\dg0bEoz0nxScOpJJ_JI0IxFBuTs[1].csstext
MD5:071CD9CDFB86B42F65CCD66A7413EAC1
SHA256:C1D6F71AF2376013D3B3FC25DB91CC9DA8D961084641312CCB96B3045AD921D5
6360powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PKVMSBQDR9NHEOFC1BO6.tempbinary
MD5:B41FB1BBD1AF162F2903F170543067E7
SHA256:06758C75959632D1BC24AA7F35EB21261C3A69140052509C3320D0760BF47CD4
6360powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135d75.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\mIBK4Tj4MH4TuENc-SRjlybWA2M[1].csstext
MD5:61218F90D3B3B1F74B9253D4E5DDF682
SHA256:0553F7C64CC8A8034532FF32F86F5B0DDB061D03843B66C0868CDCA1674E03CC
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\_BjeFNPDJ-N9umMValublyrbq4Y[1].csstext
MD5:15DC838A1A66277F9F4D915124DFFBBC
SHA256:9C947D5F732431197DA9DB1F159CB3D4CDC5DBFE55FDC0A9513E571FF31236A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
273
TCP/UDP connections
92
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.80.89:443
https://r.bing.com/rb/6i/cir3,ortl,cc,nc/I6nommjaUrH5K7RnL_cFpH5R7jM.css?bu=M8IKvArICrwKrAu8CrILvAq8CrwKvQu8CsQLvArKC7wK0Au8CtYLvAraCrwK4Aq8CtQKvAq8CqMLvArvCrwK9Qq8CukKvAr7CoULiAu8CrwKoAuOC7wKlAuXC7wKggy8CtwLvAq7DA&or=w
unknown
unknown
GET
200
2.19.80.89:443
https://r.bing.com/rp/4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br.js
unknown
unknown
GET
200
2.19.80.27:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.37 Kb
whitelisted
GET
200
2.19.80.27:443
https://r.bing.com/rb/19/cir3,ortl,cc,nc/dg0bEoz0nxScOpJJ_JI0IxFBuTs.css?bu=CIgDWvYC0AH8AW5ukwM&or=w
unknown
text
5.99 Kb
unknown
GET
200
2.19.80.89:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=p&setlang=en-US&cc=US&nohs=1&qfm=1&cp=1&cvid=61b1f45e0db04a05af060faad7cc8bc0&ig=8b30d925c5d744cbbc65ea55230b1f77
unknown
binary
6.85 Kb
whitelisted
POST
204
2.19.80.89:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
2.19.80.27:443
https://r.bing.com/rb/19/cir3,ortl,cc,nc/mIBK4Tj4MH4TuENc-SRjlybWA2M.css?bu=C-gK5wOjBcQLqQqTCpsIbm5ubg&or=w
unknown
text
19.8 Kb
whitelisted
GET
200
2.19.80.89:443
https://r.bing.com/rb/3D/ortl,cc,nc/AptopUBu7_oVDubJxwvaIprW-lI.css?bu=A4gCjAKPAg&or=w
unknown
text
15.5 Kb
whitelisted
GET
200
2.19.80.27:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=po&setlang=en-US&cc=US&nohs=1&qfm=1&cp=2&cvid=61b1f45e0db04a05af060faad7cc8bc0&ig=18acf96d02df4b3d8ef54c8639e6916c
unknown
binary
6.96 Kb
whitelisted
GET
200
2.19.80.27:443
https://r.bing.com/rb/6i/ortl,cc,nc/_BjeFNPDJ-N9umMValublyrbq4Y.css?bu=CagMvAqtDLwKsQy8CrwKvAq8Cg&or=w
unknown
text
428 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5988
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
5988
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 2.23.227.221
whitelisted
google.com
  • 142.250.181.238
whitelisted
r.bing.com
  • 2.23.227.208
  • 2.23.227.221
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
arm-ring.msedge.net
  • 4.150.240.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
teams-ring.msedge.net
  • 52.113.196.254
unknown
th.bing.com
  • 2.23.227.221
  • 2.23.227.208
whitelisted
self.events.data.microsoft.com
  • 20.189.173.25
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
enbar.txt