File name:

_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe

Full analysis: https://app.any.run/tasks/74993a02-bc17-4e03-be99-fef2ccf9e5ec
Verdict: Malicious activity
Analysis date: October 22, 2025, 12:22:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

4F12DE3EFB647F8616B11E662CD18F5B

SHA1:

7CF6BF5AA155C684BE1D39D357ADFDD0B60DAFBC

SHA256:

59E86E944F7EED1E774378C3EEA29189F4B246DA3713F8EBC2E0B5E4BDEF751F

SSDEEP:

98304:0PXS+DPCqpT/nobF7L79C1bDD+lSIxgYK3TkSVosgGz9qrygYurgf/cJb8zhUSvV:IArnsB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • kxetray.exe (PID: 8164)
      • kxetray.exe (PID: 7892)

    • TOFSEE has been detected (YARA)

      • kxetray.exe (PID: 8164)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7868)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7924)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • Reads the Windows owner or organization settings

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • Reads security settings of Internet Explorer

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)

    • Reads the date of Windows installation

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)

    • Drops a system driver (possible attempt to evade defenses)

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • The process drops C-runtime libraries

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • Process drops legitimate windows executable

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • The process executes via Task Scheduler

      • kxetray.exe (PID: 7892)

    • Connects to SMTP port

      • kxetray.exe (PID: 8164)

  • INFO

    • Checks supported languages

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7868)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7924)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)
      • kxetray.exe (PID: 8164)
      • kxetray.exe (PID: 7892)

    • Create files in a temporary directory

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7868)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7924)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • Reads Environment values

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7868)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe (PID: 7924)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • Reads the computer name

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)
      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)
      • kxetray.exe (PID: 8164)

    • Process checks computer location settings

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7888)

    • Creates files in the program directory

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)
      • kxetray.exe (PID: 8164)

    • The sample compiled with english language support

      • _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp (PID: 7976)

    • Reads the machine GUID from the registry

      • kxetray.exe (PID: 8164)
      • kxetray.exe (PID: 7892)

    • Reads the software policy settings

      • slui.exe (PID: 2320)

    • Checks proxy server information

      • slui.exe (PID: 2320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:09:23 05:03:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 716800
InitializedDataSize: 411136
UninitializedDataSize: -
EntryPoint: 0xb0028
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Microsoft Corporation
FileDescription: Bold Plastic Toaster Setup
FileVersion:
LegalCopyright: Microsoft Corporation. All rights reserved.
OriginalFileName:
ProductName: Bold Plastic Toaster
ProductVersion: 10.0.19041.5968
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp #TOFSEE kxetray.exe slui.exe kxetray.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2320C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7868"C:\Users\admin\Desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe" C:\Users\admin\Desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Bold Plastic Toaster Setup
Exit code:
1
Version:
Modules
Images
c:\users\admin\desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7888"C:\Users\admin\AppData\Local\Temp\is-QU7VO.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp" /SL5="$60298,3691568,1128960,C:\Users\admin\Desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe" C:\Users\admin\AppData\Local\Temp\is-QU7VO.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp
_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\is-qu7vo.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
7892"C:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\kxetray.exe" -ScanTypeC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\kxetray.exesvchost.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
KXEngine Security Center Tray manager
Version:
2010,08,10,224
Modules
Images
c:\programdata\0edfed84-8472-45ab-a310-5c9830c706be\kxetray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7924"C:\Users\admin\Desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe" /VERYSILENT /PASSWORD=27ecf4a9-1b1c-4242-9ef6-a5d010961b01C:\Users\admin\Desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe
_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Bold Plastic Toaster Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7976"C:\Users\admin\AppData\Local\Temp\is-07U3A.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp" /SL5="$70298,3691568,1128960,C:\Users\admin\Desktop\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe" /VERYSILENT /PASSWORD=27ecf4a9-1b1c-4242-9ef6-a5d010961b01C:\Users\admin\AppData\Local\Temp\is-07U3A.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp
_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-07u3a.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
8164"C:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\kxetray.exe" -ScanTypeC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\kxetray.exe
_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmp
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
KXEngine Security Center Tray manager
Version:
2010,08,10,224
Modules
Images
c:\programdata\0edfed84-8472-45ab-a310-5c9830c706be\kxetray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 242
Read events
5 224
Write events
14
Delete events
4

Modification events

(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D01E00004ECEDB944E43DC01
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A90EBBF275C8CBA404998FCDC35072C65AD4AACC8DF3300A8880CBFA82B35AB1
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
ຩ졵꓋餄춏僃왲푚첪ਰ肈頋뎂녚
(PID) Process:(7888) _59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
Executable files
26
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7924_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exeC:\Users\admin\AppData\Local\Temp\is-07U3A.tmp\_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpexecutable
MD5:5E297E2542DEEB70454320AA17904418
SHA256:8993BB023AB9A18DBC758E5856E4B63D36F75F3BD6B6146A7276288AEC0EA869
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\Users\admin\AppData\Local\Temp\is-C7EGO.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\MpSenseComm.dllexecutable
MD5:E5375CF72569280B66696F4145A1EE1E
SHA256:08D22E7A9239D30C2DB03A7D5B2F44DAF32D7EB7F2839D12748C2C96C074B1C9
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\MpOAV.dllexecutable
MD5:004EB62AE91C5C5F2F54D9B496A73E3C
SHA256:3433852CEA122B273E7938A5369555E7639F4A5928AABE6AEBB1A63558F9588B
7888_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\Users\admin\AppData\Local\Temp\is-0S5VG.tmp\_isetup\_isdecmp.dllexecutable
MD5:077CB4461A2767383B317EB0C50F5F13
SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\MpUpdate.dllexecutable
MD5:0DECDF48A374D88FC661537491540F4A
SHA256:A809669DC55BE8B713C6C28B25A70D1EA7214F4A78C9959D341C3E3114C85906
7888_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\Users\admin\AppData\Local\Temp\is-0S5VG.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\Users\admin\AppData\Local\Temp\is-C7EGO.tmp\_isetup\_isdecmp.dllexecutable
MD5:077CB4461A2767383B317EB0C50F5F13
SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\is-91C3T.tmpexecutable
MD5:2935678FDC84D64DA1FA45B7DC6F355F
SHA256:8A6934B5BEA5F9E9D49F6B51988FE8AED86E48039DE8D3DF0F57F64EBD7F6E9F
7976_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.tmpC:\ProgramData\0edfed84-8472-45ab-a310-5c9830c706be\eguiDemeter.sysexecutable
MD5:2935678FDC84D64DA1FA45B7DC6F355F
SHA256:8A6934B5BEA5F9E9D49F6B51988FE8AED86E48039DE8D3DF0F57F64EBD7F6E9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
63
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
unknown
POST
200
40.126.32.133:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
unknown
POST
200
40.126.32.133:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
unknown
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
unknown
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
POST
200
20.190.160.130:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251022T122244Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=63fc5753b5b64fc48747b8bcb783a38d&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4272741&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1663271&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.20 Kb
unknown
GET
200
20.199.58.43:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251022T122244Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=0b2107ed3aba48de819bd828355d7545&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4272741&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1663271&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.21 Kb
unknown
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251022T122244Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=e74fdbd072dc413cb074579ad9a69a6c&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4272741&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1663271&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.34 Kb
unknown
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
5512
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3148
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.204.149:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5596
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5284
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.16.204.149
  • 2.16.204.148
  • 2.16.204.156
  • 2.16.204.155
  • 2.16.204.152
  • 2.16.204.160
  • 2.16.204.159
  • 2.16.204.150
  • 2.16.204.153
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.67
  • 40.126.31.129
  • 20.190.159.64
  • 40.126.31.1
  • 40.126.31.3
  • 40.126.31.0
  • 20.190.159.68
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.250.184.238
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.10.2
  • 52.101.41.180
  • 52.101.8.51
  • 52.101.9.17
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f.exe