File name:

1.bat

Full analysis: https://app.any.run/tasks/c52cb607-67e3-4754-bab7-553e21254463
Verdict: Malicious activity
Analysis date: May 15, 2025, 19:59:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (4390), with no line terminators
MD5:

9A931262E36A189DDD1EAE57DC581AAE

SHA1:

2C58C73C892E71C5CE5FF389A78728E491FF9423

SHA256:

5E09EF8E9532ACE2D9641E7F63B84DD6027A548C23D5C0D6097B7C8884DAFBBF

SSDEEP:

96:nBCXPOqfX2/dmPyDBpCroKOlT1AlTTwWppAekbC7YY:nWOqfIGyDBKoK0uqWp4b/Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5112)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4108)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5112)

    • Application launched itself

      • powershell.exe (PID: 7388)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3272)
      • cmd.exe (PID: 6240)
      • powershell.exe (PID: 7388)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 7388)

    • The process hide an interactive prompt from the user

      • powershell.exe (PID: 7388)

    • Executes script without checking the security policy

      • powershell.exe (PID: 4108)

    • Executes application which crashes

      • powershell.exe (PID: 4108)

    • Connects to unusual port

      • powershell.exe (PID: 4108)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5112)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 2924)

    • Checks supported languages

      • SearchApp.exe (PID: 2924)
      • identity_helper.exe (PID: 6652)

    • Process checks computer location settings

      • SearchApp.exe (PID: 2924)

    • Manual execution by a user

      • cmd.exe (PID: 6240)
      • msedge.exe (PID: 7508)
      • cmd.exe (PID: 3272)
      • notepad.exe (PID: 4648)

    • Reads the software policy settings

      • SearchApp.exe (PID: 2924)
      • slui.exe (PID: 7248)

    • Application launched itself

      • msedge.exe (PID: 7508)

    • Reads the computer name

      • identity_helper.exe (PID: 6652)

    • Reads Environment values

      • identity_helper.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
201
Monitored processes
62
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs notepad.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1884 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6012 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4092 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
924"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6060 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7ffc88995fd8,0x7ffc88995fe4,0x7ffc88995ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5332 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
35 313
Read events
35 172
Write events
138
Delete events
3

Modification events

(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:IsAADCloudSearchEnabled
Value:
0
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:IsMSACloudSearchEnabled
Value:
0
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:writeName:BINGIDENTITY_PROP_USEREMAIL
Value:
00003D54A0E9D3C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:writeName:BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value:
000094EEA0E9D3C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:writeName:BINGIDENTITY_PROP_ACCOUNTTYPE
Value:
000094EEA0E9D3C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:writeName:BINGIDENTITY_PROP_ACCOUNTTYPE
Value:
4E006F006E006500000094EEA0E9D3C5DB01
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:delete valueName:CachedFeatureString
Value:
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:SafeSearchMode
Value:
1
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:writeName:CachedFeatureString
Value:
(PID) Process:(2924) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
949
Executable files
30
Suspicious files
571
Text files
228
Unknown types
0

Dropped files

PID
Process
Filename
Type
5112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zuosl5rq.a4m.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:7271D1F2E07B33C49795554745FD42C7
SHA256:361FBA62B248DEE48E612A704C16304ED606698FE4A5377B948FD768AA455DC9
5112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_idxqajsa.f3l.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5112powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:450F6A6E84BBBFB0D5D67F552473C090
SHA256:407190BDA2407689BFB83BB7D826C25741CC6929C66DA5F46D765672E7604523
5112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JM1WV4MPMHGK459QTG0Y.tempbinary
MD5:7271D1F2E07B33C49795554745FD42C7
SHA256:361FBA62B248DEE48E612A704C16304ED606698FE4A5377B948FD768AA455DC9
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\NajusmjIqB4kdLn9FmVxeS4xi2o[1].csstext
MD5:73D1CEBD8E3B6C7246F422D624EDF803
SHA256:0674786CF9978A1F9065F57D98E986070C7CBB5177F154F40E8A924C0E0C13F2
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\-M-8YWX0KlEtdAHVrkTvKQHOghs[1].jsbinary
MD5:32EE4742328DFB725F3A96641B93B344
SHA256:061E63AF37D22CCEF7FB5BB9BEABA0DF2F36B64F985BB8A408638846C895D0A7
5112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c6ec.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\FgBbpIj0thGWZOh_xFnM9i4O7ek[1].csstext
MD5:908111EB0FFB1360D5DD61279C21703E
SHA256:1ED87CF425DED994B05A842271AB4D28A76F399E571688CF2E7B186F70DC3059
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:A5216D68F7B67852D46940E0C9CFF5F3
SHA256:D4DDEE633660395ED2D8ED525DA0F1C2374B44CE4E80ACF37FE558D07D125C1B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
163
DNS requests
116
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8092
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8092
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
540
svchost.exe
HEAD
200
2.16.10.182:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/241074c3-f448-482a-8c90-855c388ea76a?P1=1747702776&P2=404&P3=2&P4=a6CNLtZVnUimx5Zk%2b5h5XPdOvvKvX5K05TzqsIYaxw04Kaf%2b3Gv%2b9NJ55L1MIaHX0SsLqDdIdEcJ0dx3Hk8dfw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 69.192.161.161
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.140
  • 20.190.160.4
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.2
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 92.123.104.26
  • 92.123.104.33
  • 92.123.104.37
  • 92.123.104.28
  • 92.123.104.29
  • 92.123.104.38
  • 92.123.104.30
  • 92.123.104.36
  • 92.123.104.41
  • 92.123.104.12
  • 92.123.104.21
  • 92.123.104.16
  • 92.123.104.22
  • 92.123.104.14
  • 92.123.104.7
  • 92.123.104.8
  • 92.123.104.9
  • 92.123.104.13
  • 92.123.104.47
  • 92.123.104.50
  • 92.123.104.49
  • 92.123.104.46
  • 92.123.104.53
  • 23.15.178.200
  • 23.15.178.226
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 92.123.104.9
  • 92.123.104.26
  • 92.123.104.18
  • 92.123.104.12
  • 92.123.104.13
  • 92.123.104.22
  • 92.123.104.11
  • 92.123.104.28
  • 92.123.104.21
  • 92.123.104.16
  • 92.123.104.14
  • 92.123.104.7
  • 92.123.104.8
whitelisted

Threats

PID
Process
Class
Message
2392
msedge.exe
Misc activity
ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392
msedge.exe
Misc activity
ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392
msedge.exe
Misc activity
ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392
msedge.exe
Misc activity
ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392
msedge.exe
Misc activity
ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392
msedge.exe
Misc activity
ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392
msedge.exe
Misc activity
ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392
msedge.exe
Misc activity
ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392
msedge.exe
Misc activity
ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
No debug info