URL:

http://178.17.59.68:5506/b.txt

Full analysis: https://app.any.run/tasks/4b398135-c2c0-4a00-9290-a2ca39aec5ab
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: January 15, 2026, 07:11:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
hijackloader
stealer
Indicators:
MD5:

47E537ED8F16A430EA6B7E2F6B297EA1

SHA1:

759EC053D3D43C1C0F13086AABC3BF9047D1DFCC

SHA256:

58485980A6E5F3B1DB05113C45FB492265713D8098A63C03025DA7E0BAA7AD78

SSDEEP:

3:N1KqdLLLQ6deRTn:CqZXeRTn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (SURICATA)

      • MegaA.exe (PID: 8176)

    • Connects to the CnC server

      • MegaA.exe (PID: 8176)

    • Executing a file with an untrusted certificate

      • MegaA.exe (PID: 8176)

    • HIJACKLOADER has been detected (YARA)

      • Infra_Transp.exe (PID: 9168)
      • MegaA.exe (PID: 8176)
      • Crisp.exe (PID: 4220)

    • Actions looks like stealing of personal data

      • MegaA.exe (PID: 8176)

    • Steals credentials from Web Browsers

      • MegaA.exe (PID: 8176)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Infra_Transp.exe (PID: 8728)
      • Infra_Transp.exe (PID: 9168)

    • Starts itself from another location

      • Infra_Transp.exe (PID: 8728)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7364)

    • Contacting a server suspected of hosting an CnC

      • MegaA.exe (PID: 8176)

    • Connects to unusual port

      • MegaA.exe (PID: 8176)

    • There is functionality for taking screenshot (YARA)

      • Infra_Transp.exe (PID: 9168)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 7500)

    • Checks supported languages

      • identity_helper.exe (PID: 6664)
      • TextInputHost.exe (PID: 8364)
      • msiexec.exe (PID: 7280)
      • Infra_Transp.exe (PID: 9168)
      • Infra_Transp.exe (PID: 8728)
      • Crisp.exe (PID: 4220)
      • MegaA.exe (PID: 8176)

    • Reads the computer name

      • identity_helper.exe (PID: 6664)
      • TextInputHost.exe (PID: 8364)
      • msiexec.exe (PID: 7280)
      • Infra_Transp.exe (PID: 9168)
      • Infra_Transp.exe (PID: 8728)
      • Crisp.exe (PID: 4220)
      • MegaA.exe (PID: 8176)

    • Reads Environment values

      • identity_helper.exe (PID: 6664)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 7500)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 8216)

    • Connects to unusual port

      • msedge.exe (PID: 7824)

    • The sample compiled with english language support

      • msedge.exe (PID: 7824)
      • Infra_Transp.exe (PID: 9168)
      • msiexec.exe (PID: 7280)
      • Infra_Transp.exe (PID: 8728)

    • Manual execution by a user

      • msiexec.exe (PID: 424)

    • Creates files or folders in the user directory

      • Infra_Transp.exe (PID: 9168)

    • Manages system restore points

      • SrTasks.exe (PID: 4120)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7280)

    • Creates files in the program directory

      • Infra_Transp.exe (PID: 8728)
      • MegaA.exe (PID: 8176)

    • Create files in a temporary directory

      • MegaA.exe (PID: 8176)
      • Infra_Transp.exe (PID: 9168)
      • Crisp.exe (PID: 4220)

    • Reads the machine GUID from the registry

      • MegaA.exe (PID: 8176)

    • Checks proxy server information

      • slui.exe (PID: 8812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
201
Monitored processes
47
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs notepad.exe no specs textinputhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs infra_transp.exe slui.exe msedge.exe no specs msedge.exe no specs #HIJACKLOADER infra_transp.exe msedge.exe no specs msedge.exe no specs #HIJACKLOADER megaa.exe msedge.exe no specs msedge.exe no specs #HIJACKLOADER crisp.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\Downloads\ZOREEOXK.msi" C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4120C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4220C:\Users\admin\AppData\Roaming\com_ms_worker_v3_x86_lts\Crisp.exeC:\Users\admin\AppData\Roaming\com_ms_worker_v3_x86_lts\Crisp.exe
Infra_Transp.exe
User:
admin
Company:
Crisp IM SAS
Integrity Level:
MEDIUM
Description:
Crisp
Exit code:
0
Version:
6.0.68
Modules
Images
c:\windows\syswow64\rasapi32.dll
c:\users\admin\appdata\roaming\com_ms_worker_v3_x86_lts\crisp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
4704"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5196,i,8001348190692759325,7783743280602207040,262144 --variations-seed-version --mojo-platform-channel-handle=7616 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6272"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7624,i,8001348190692759325,7783743280602207040,262144 --variations-seed-version --mojo-platform-channel-handle=7528 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6664"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5948,i,8001348190692759325,7783743280602207040,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7204"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5144,i,8001348190692759325,7783743280602207040,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5140,i,8001348190692759325,7783743280602207040,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7260"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7236,i,8001348190692759325,7783743280602207040,262144 --variations-seed-version --mojo-platform-channel-handle=7736 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 468
Read events
6 311
Write events
148
Delete events
9

Modification events

(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000055DCB738EE85DC01701C0000A01C0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000055DCB738EE85DC01701C0000A01C0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000005761239EE85DC01701C0000A01C0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000005761239EE85DC01701C0000A01C0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7364) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000E2995739EE85DC01C41C000014120000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7364) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000E2995739EE85DC01C41C000090210000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000003D91439EE85DC01701C0000A01C0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000569D1939EE85DC01701C0000A01C0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
15
(PID) Process:(7280) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000006D393639EE85DC01701C0000A01C0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
9
Suspicious files
62
Text files
183
Unknown types
1

Dropped files

PID
Process
Filename
Type
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfdf99.TMP
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfdf99.TMP
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFfdfa8.TMP
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFfdfa8.TMP
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFfdfa8.TMP
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
93
TCP/UDP connections
70
DNS requests
64
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7824
msedge.exe
GET
304
150.171.28.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
7824
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:QIhHYJgRGwVZHUxJdwphRklhcx3q_wnlwiizzokJq7E&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
101 b
whitelisted
7824
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=65&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0
US
text
892 b
whitelisted
7824
msedge.exe
GET
200
104.18.23.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
7824
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
446 b
whitelisted
7824
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=133.0.3065.92&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D1.2.1%26installedby%3Dother%26uc%26ping%3Dr%253D546%2526e%253D1
US
xml
413 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
7824
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=arbitration_priority_list&version=24.*.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362
US
text
271 b
whitelisted
7824
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=edge_hub_apps_manifest_gz&version=4.11.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362
US
text
266 b
whitelisted
7824
msedge.exe
GET
200
13.107.246.45:443
https://edgeassetservice.azureedge.net/assets/domains_config_gz/3.0.12/asset?assetgroup=EntityExtractionDomainsConfig
US
text
128 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1136
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5356
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7824
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
msedge.exe
178.17.59.68:5506
QWINS-LTD QWINS AS-SET: ~ # AS213702:AS-CUSTOMERS
GB
unknown
7824
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
msedge.exe
13.107.246.45:443
edgeassetservice.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
copilot.microsoft.com
  • 104.18.23.222
  • 104.18.22.222
whitelisted
update.googleapis.com
  • 142.251.208.3
whitelisted
www.bing.com
  • 2.16.241.220
  • 2.16.241.215
  • 2.16.241.203
  • 2.16.241.201
  • 2.16.241.221
  • 2.16.241.219
  • 2.16.241.217
  • 2.16.241.197
  • 2.16.241.222
  • 2.16.204.135
  • 2.16.204.144
  • 2.16.204.145
  • 2.16.204.142
  • 2.16.204.139
  • 2.16.204.137
  • 2.16.204.143
  • 2.16.204.136
  • 2.16.204.160
  • 92.122.215.55
  • 92.122.215.57
  • 92.122.215.58
  • 92.122.215.75
  • 92.122.215.65
  • 92.122.215.72
  • 92.122.215.74
  • 92.122.215.53
  • 92.122.215.56
whitelisted
edgeassetservice.azureedge.net
  • 13.107.246.45
  • 13.107.213.45
whitelisted
www.googleapis.com
  • 142.250.186.138
  • 142.251.141.106
  • 142.250.184.202
  • 142.250.185.74
  • 172.217.18.10
  • 142.250.185.170
  • 142.251.140.170
  • 142.251.208.10
  • 142.250.74.202
  • 142.250.184.234
  • 142.250.186.170
  • 172.217.20.138
  • 142.251.141.74
  • 142.250.185.202
  • 142.250.185.138
  • 142.250.185.106
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
7824
msedge.exe
Potentially Bad Traffic
ET HUNTING Terse Request for .txt - Likely Hostile
7824
msedge.exe
Potentially Bad Traffic
ET HUNTING Powershell Downloader with Start-Process Inbound M1
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC connection established M1
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame inbound
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame inbound
8176
MegaA.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://178.17.59.68:5506/b.txt