URL:

https://cloudup.com/files/iJ8uEFPy4Jy/download

Full analysis: https://app.any.run/tasks/77f04d87-99f1-4759-9a71-34d1e9bdee1b
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 20:38:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
njrat
bladabindi
remote
backdoor
Indicators:
MD5:

D6F5E312676B87542C8A591E73471171

SHA1:

596C11A86E7B9C882A57A69C9153CBEEF7D20D25

SHA256:

3FFD75EEB796D413B7C4B2AEA4A89A56A527EEE87E899A1C55DD8108A91A61B8

SSDEEP:

3:N8ULBQVyTLKS1I84z:2UaQTXY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 8112)
      • powershell.exe (PID: 8120)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 3024)
      • powershell.exe (PID: 7700)
      • powershell.exe (PID: 6824)
      • powershell.exe (PID: 5124)
      • powershell.exe (PID: 1196)
      • powershell.exe (PID: 1676)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 5680)
      • powershell.exe (PID: 2772)
      • powershell.exe (PID: 7884)
      • powershell.exe (PID: 516)
      • powershell.exe (PID: 1196)
      • powershell.exe (PID: 3956)
      • powershell.exe (PID: 4244)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 8136)
      • powershell.exe (PID: 1764)
      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 7716)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 8120)
      • powershell.exe (PID: 6668)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1764)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 5304)

    • Changes Windows Defender settings

      • powershell.exe (PID: 5304)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 5304)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 8120)
      • powershell.exe (PID: 8112)
      • powershell.exe (PID: 7836)

    • NjRAT is detected

      • InstallUtil.exe (PID: 2644)

    • Connects to the CnC server

      • InstallUtil.exe (PID: 2644)

    • NJRAT has been detected (SURICATA)

      • InstallUtil.exe (PID: 2644)

  • SUSPICIOUS

    • The process executes JS scripts

      • msedge.exe (PID: 2320)
      • powershell.exe (PID: 8136)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 856)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 856)
      • powershell.exe (PID: 8136)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 856)
      • powershell.exe (PID: 8136)
      • powershell.exe (PID: 1764)
      • cmd.exe (PID: 7872)
      • powershell.exe (PID: 5304)
      • cmd.exe (PID: 7716)
      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 8120)
      • powershell.exe (PID: 6668)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 856)

    • Probably download files using WebClient

      • powershell.exe (PID: 8136)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 856)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8136)
      • powershell.exe (PID: 1764)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 8136)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8136)
      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 1128)

    • Application launched itself

      • powershell.exe (PID: 8136)
      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 8120)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 6668)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 1764)

    • Get information on the list of running processes

      • powershell.exe (PID: 8136)

    • The process executes Powershell scripts

      • powershell.exe (PID: 1764)
      • cmd.exe (PID: 7872)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 2616)
      • cmd.exe (PID: 7716)
      • powershell.exe (PID: 8120)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 6668)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 4152)
      • cmd.exe (PID: 8144)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 5304)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 5304)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 5304)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 664)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 2616)
      • powershell.exe (PID: 8120)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • InstallUtil.exe (PID: 2644)

    • Contacting a server suspected of hosting an CnC

      • InstallUtil.exe (PID: 2644)

    • Connects to unusual port

      • InstallUtil.exe (PID: 2644)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 5056)
      • InstallUtil.exe (PID: 2644)

    • Reads the computer name

      • identity_helper.exe (PID: 5056)
      • InstallUtil.exe (PID: 2644)

    • Application launched itself

      • msedge.exe (PID: 2320)

    • Reads Environment values

      • identity_helper.exe (PID: 5056)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 2320)

    • Reads the software policy settings

      • powershell.exe (PID: 1764)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8136)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 1128)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 8136)

    • Checks proxy server information

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 5304)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1764)

    • Create files in a temporary directory

      • powershell.exe (PID: 1764)

    • Disables trace logs

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 5304)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1764)

    • Creates a new folder

      • cmd.exe (PID: 6244)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 780)
      • powershell.exe (PID: 8056)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 780)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 2236)

    • The sample compiled with english language support

      • msedge.exe (PID: 2236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
96
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe powershell.exe svchost.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs #NJRAT installutil.exe powershell.exe no specs netsh.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs slui.exe powershell.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe powershell.exe no specs msedge.exe no specs powershell.exe no specs powershell.exe no specs msedge.exe no specs powershell.exe no specs ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5376 --field-trial-handle=2312,i,12756668713861725635,16835725267848544613,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cmmgc.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7372 --field-trial-handle=2312,i,12756668713861725635,16835725267848544613,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664cmd.exe /k reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7644 --field-trial-handle=2312,i,12756668713861725635,16835725267848544613,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5896 --field-trial-handle=2312,i,12756668713861725635,16835725267848544613,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\BLADES_PN#_Desc_&_Qty Details.js" C:\Windows\System32\wscript.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
121 253
Read events
121 195
Write events
57
Delete events
1

Modification events

(PID) Process:(2320) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
7328260CDD932F00
(PID) Process:(2320) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
DF392F0CDD932F00
(PID) Process:(2320) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197232
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7D38E2B0-B57B-4144-8159-AB3146A09B1E}
(PID) Process:(2320) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197232
Operation:writeName:WindowTabManagerFileMappingId
Value:
{643FFCE5-7481-409D-A152-21427AA0E4A2}
(PID) Process:(6148) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6148) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6148) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6148) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(6148) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(6148) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
Executable files
14
Suspicious files
400
Text files
143
Unknown types
0

Dropped files

PID
Process
Filename
Type
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b855.TMP
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b865.TMP
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b865.TMP
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b874.TMP
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b894.TMP
MD5:
SHA256:
2320msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
73
DNS requests
81
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5984
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5984
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7656
svchost.exe
HEAD
200
208.89.74.27:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1747705080&P2=404&P3=2&P4=FjLaAMrpuIZZYzwDNtl4OuCsfnEy50GTDdTuKBqg7rrQi%2bS0i2cEo6hvvWHZe%2fneKVK8%2bOxaDelZonQSFkZZkg%3d%3d
unknown
whitelisted
7656
svchost.exe
GET
206
208.89.74.27:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1747705080&P2=404&P3=2&P4=FjLaAMrpuIZZYzwDNtl4OuCsfnEy50GTDdTuKBqg7rrQi%2bS0i2cEo6hvvWHZe%2fneKVK8%2bOxaDelZonQSFkZZkg%3d%3d
unknown
whitelisted
7656
svchost.exe
GET
206
208.89.74.27:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1747705080&P2=404&P3=2&P4=FjLaAMrpuIZZYzwDNtl4OuCsfnEy50GTDdTuKBqg7rrQi%2bS0i2cEo6hvvWHZe%2fneKVK8%2bOxaDelZonQSFkZZkg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7324
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2320
msedge.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
cloudup.com
  • 192.0.123.238
  • 192.0.123.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.53
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
cldup.com
  • 192.0.77.17
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
1764
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
5304
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
2644
InstallUtil.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 41
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.bumbleshrimp .com Domain
2644
InstallUtil.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
2644
InstallUtil.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command li
2644
InstallUtil.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command inf
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cloudup.com/files/iJ8uEFPy4Jy/download