File name:

EXM Free Tweaking Utility V4.zip

Full analysis: https://app.any.run/tasks/2cc160f0-b4b5-4f70-8003-c007db081125
Verdict: Malicious activity
Analysis date: May 27, 2024, 18:50:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

E09A54F173246F47479CE1F61E6E80B1

SHA1:

281ECD635688B002A1F42F42CA2D7C898528311B

SHA256:

5017258D30285FECD6531B6A23B667DC546131A0726AA8034E92E98C1BAB8891

SSDEEP:

384:UOfvfg2vk5Oe8OdXQHL4/RKdUkLa3nJIEsrmpRR1XiWNIYUr1hh0:UOXfj8MeTXQcyUkLaXjAQRWYs1hh0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • curl.exe (PID: 5180)
      • powershell.exe (PID: 1572)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3912)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3912)
      • powershell.exe (PID: 4708)
      • cmd.exe (PID: 2960)

    • Executing commands from ".cmd" file

      • WinRAR.exe (PID: 3912)
      • powershell.exe (PID: 4708)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2960)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2960)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2960)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2960)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2960)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 2540)

    • Application launched itself

      • cmd.exe (PID: 2960)

    • Uses WMIC.EXE to obtain user accounts information

      • cmd.exe (PID: 6036)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6036)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1572)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 1572)

    • Probably fake Windows Update file has been dropped

      • powershell.exe (PID: 1572)

  • INFO

    • Checks supported languages

      • chcp.com (PID: 6036)
      • chcp.com (PID: 2160)
      • chcp.com (PID: 1492)
      • chcp.com (PID: 4416)
      • chcp.com (PID: 5940)
      • chcp.com (PID: 2528)
      • chcp.com (PID: 1608)
      • curl.exe (PID: 5180)
      • chcp.com (PID: 3648)
      • chcp.com (PID: 3100)
      • chcp.com (PID: 3824)
      • chcp.com (PID: 3956)
      • chcp.com (PID: 2088)
      • chcp.com (PID: 4864)
      • chcp.com (PID: 3712)
      • chcp.com (PID: 2740)
      • chcp.com (PID: 700)
      • chcp.com (PID: 1944)
      • identity_helper.exe (PID: 1488)
      • chcp.com (PID: 6256)
      • chcp.com (PID: 608)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2280)

    • Reads the computer name

      • curl.exe (PID: 5180)
      • identity_helper.exe (PID: 1488)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 1572)
      • powershell.exe (PID: 1572)

    • Create files in a temporary directory

      • curl.exe (PID: 5180)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 3960)
      • msedge.exe (PID: 3608)

    • Application launched itself

      • msedge.exe (PID: 3960)
      • msedge.exe (PID: 3608)

    • Manual execution by a user

      • msedge.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:05:20 18:46:52
ZipCRC: 0x137cd26a
ZipCompressedSize: 19960
ZipUncompressedSize: 194734
ZipFileName: EXM Free Tweaking Utility V4.cmd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
268
Monitored processes
158
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs chcp.com no specs timeout.exe no specs timeout.exe no specs chcp.com no specs powershell.exe no specs cmd.exe conhost.exe no specs chcp.com no specs reg.exe no specs chcp.com no specs timeout.exe no specs chcp.com no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs timeout.exe no specs chcp.com no specs powershell.exe no specs SPPSurrogate no specs reg.exe no specs reg.exe no specs reg.exe no specs chcp.com no specs curl.exe chcp.com no specs powershell.exe chcp.com no specs chcp.com no specs chcp.com no specs powershell.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs pnputil.exe no specs chcp.com no specs chcp.com no specs msedge.exe no specs timeout.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chcp.com no specs msedge.exe no specs msedge.exe no specs timeout.exe no specs chcp.com no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs timeout.exe no specs chcp.com no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chcp.com no specs msedge.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420"C:\WINDOWS\system32\pnputil.exe" /remove-device SW\{DDF4358E-BB2C-11D0-A42F-00A0C9223196}\{97EBAACB-95BD-11D0-A3EA-00A0C9223196}C:\Windows\System32\pnputil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
432"C:\WINDOWS\system32\pnputil.exe" /remove-device PCI\VEN_8086&DEV_2935&SUBSYS_11001AF4&REV_03\3&267A616A&1&21C:\Windows\System32\pnputil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\devobj.dll
608chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
700chcp 437 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
708"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5396 --field-trial-handle=2464,i,14531842405845248334,1361954664317143336,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
724"C:\WINDOWS\system32\pnputil.exe" /remove-device ACPI\PNP0A03\0C:\Windows\System32\pnputil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sechost.dll
892"C:\WINDOWS\system32\pnputil.exe" /remove-device SWD\MSDAS\{CE958E9A-424F-4C88-86F4-11314821E75A}C:\Windows\System32\pnputil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sechost.dll
892"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5872 --field-trial-handle=2464,i,14531842405845248334,1361954664317143336,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
924"C:\WINDOWS\system32\pnputil.exe" /remove-device SW\{EEC12DB6-AD9C-4168-8658-B03DAEF417FE}\{ABD61E00-9350-47E2-A632-4438B90C6641}C:\Windows\System32\pnputil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
928"C:\WINDOWS\system32\pnputil.exe" /remove-device PCI\VEN_8086&DEV_7010&SUBSYS_11001AF4&REV_00\3&267A616A&1&09C:\Windows\System32\pnputil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\devobj.dll
Total events
55 739
Read events
55 549
Write events
183
Delete events
7

Modification events

(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\EXM Free Tweaking Utility V4.zip
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3912) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\WINDOWS\System32\acppage.dll,-6003
Value:
Windows Command Script
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
113
Text files
85
Unknown types
0

Dropped files

PID
Process
Filename
Type
4708powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_knavqseu.10b.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3912.16209\EXM Free Tweaking Utility V4.cmdtext
MD5:6224B9A9F80306833557F0B5D8A08A5F
SHA256:1DB93D130D56996F9BC4B7CCAC8A1EB7AE893464B8E8D9CB6C0C4054D6A129C9
4708powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_43vjfy02.2t3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4852powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jblbitwj.45k.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4708powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D3E0E946106FBCA31F22FD161EB919B8
SHA256:D0572F7C0808A1623199A82B30A250F5FCF2063A1ACF040DF9A57943F0FED5DB
1572powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bwglbdje.uqt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1572powershell.exeC:\exm\nvidiaProfileInspector.exe.configxml
MD5:CE6D0BC7328B0FAB08DE80F292C1EAA4
SHA256:383B8DCB968B6BD0633658D9BB55C4ACAF4C85A075AA456904A42D4E4EFD5561
1228powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yu4xmvwc.xsu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1572powershell.exeC:\exm\Exm_Free_Power_Plan_V3.powhiv
MD5:12456892A40CF52DC3CA609489FBA5AA
SHA256:ADFD69E560235FA59F26C6DB6D0C9BE91714C1F7681634A61DF64EE67D51BC78
1572powershell.exeC:\exm\Windows_Update_Blocker.exeexecutable
MD5:585C5000D1A851B295FF295389D7AA1A
SHA256:15FCCF8C018BBBED14664D5A5528CDF087B9032543BE2169D78AB25D141D2B2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
100
TCP/UDP connections
67
DNS requests
48
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2008
msedge.exe
OPTIONS
200
95.100.154.210:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
2008
msedge.exe
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
2008
msedge.exe
GET
200
154.41.250.3:443
https://exmtweaks.com/storage/app/media/pc.png
unknown
2008
msedge.exe
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=27&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
1.15 Kb
2008
msedge.exe
GET
200
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
1.01 Kb
2008
msedge.exe
GET
401
13.107.6.158:443
https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox
unknown
binary
584 b
5180
curl.exe
GET
302
162.125.66.18:443
https://www.dropbox.com/scl/fi/wh4figt0lhorsc7ukqgv3/exm.zip?rlkey=fotqy2invkvuvgpwxmh6dsd0m&st=xg5ao5v3&dl=0
unknown
html
256 b
GET
200
154.41.250.3:443
https://exmtweaks.com/
unknown
html
108 Kb
2008
msedge.exe
GET
200
154.41.250.3:443
https://exmtweaks.com/themes/exmtweaks/assets/images/first.svg
unknown
image
869 b
2008
msedge.exe
GET
200
142.250.186.168:443
https://www.googletagmanager.com/gtm.js?id=GTM-TTK2XTQ4
unknown
text
188 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5180
curl.exe
162.125.66.18:443
www.dropbox.com
DROPBOX
DE
unknown
5180
curl.exe
162.125.66.15:443
uc75a97aba6c94c208a19c935618.dl.dropboxusercontent.com
DROPBOX
DE
malicious
3608
msedge.exe
239.255.255.250:1900
unknown
2008
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2008
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2008
msedge.exe
154.41.250.210:443
exmtweaks.com
COGENT-174
US
unknown
2008
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2008
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.dropbox.com
  • 162.125.66.18
shared
uc75a97aba6c94c208a19c935618.dl.dropboxusercontent.com
  • 162.125.66.15
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
exmtweaks.com
  • 154.41.250.210
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
unknown
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.16.63.34
  • 95.100.154.210
whitelisted
www.bing.com
  • 2.19.173.27
  • 2.19.173.106
  • 2.19.173.75
  • 2.19.173.25
  • 2.19.173.51
whitelisted
www.googletagmanager.com
  • 142.250.186.136
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EXM Free Tweaking Utility V4.zip