URL:

https://www.mediafire.com/file/qd62co1dl19znip/Setup.zip/file

Full analysis: https://app.any.run/tasks/65742472-4228-4f08-9f2d-d485f2c2f5c1
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: April 25, 2025, 16:35:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-doc
arch-exec
miner
winring0x64-sys
vuln-driver
upx
xmrig
redline
pyinstaller
crypto-regex
Indicators:
MD5:

4C286B28FF837D0DCA657CFAF7BF431A

SHA1:

1B8A3FF0F69F6DEF8012E72CE90A369CB5F33DB7

SHA256:

703BD6971F0F383BCAE6F92FE6EBE8C33D8C68FC7D939B396D32072EFB141491

SSDEEP:

3:N8DSLw3eGUoYi5JFfLUtP9:2OLw3eG0yFj61

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Setup.exe (PID: 8888)

    • Changes Windows Defender settings

      • wmplayer.exe (PID: 6700)

    • Vulnerable driver has been detected

      • wmplayer.exe (PID: 6700)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 9068)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • conhost.exe (PID: 9076)

    • Adds extension to the Windows Defender exclusion list

      • wmplayer.exe (PID: 6700)

    • Connects to the CnC server

      • conhost.exe (PID: 9076)

    • XMRIG has been detected (YARA)

      • conhost.exe (PID: 9076)

    • REDLINE has been detected (YARA)

      • playalacch.exe (PID: 6068)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • msedge.exe (PID: 7312)
      • Setup.exe (PID: 8888)
      • WinService.exe (PID: 300)
      • WinService.exe (PID: 6572)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 8888)
      • wmplayer.exe (PID: 6700)
      • Installer.exe (PID: 8408)
      • WinService.exe (PID: 300)
      • WinService.exe (PID: 4776)
      • sept.exe (PID: 8344)
      • WinService.exe (PID: 6572)

    • Process drops legitimate windows executable

      • Setup.exe (PID: 8888)
      • WinRAR.exe (PID: 9044)
      • WinService.exe (PID: 6572)
      • WinService.exe (PID: 300)
      • WinRAR.exe (PID: 8408)
      • msedge.exe (PID: 7312)

    • Script adds exclusion extension to Windows Defender

      • wmplayer.exe (PID: 6700)

    • Starts POWERSHELL.EXE for commands execution

      • wmplayer.exe (PID: 6700)

    • Manipulates environment variables

      • powershell.exe (PID: 6264)

    • Script adds exclusion path to Windows Defender

      • wmplayer.exe (PID: 6700)

    • Starts CMD.EXE for commands execution

      • wmplayer.exe (PID: 6700)
      • WinService.exe (PID: 4776)

    • Drops a system driver (possible attempt to evade defenses)

      • wmplayer.exe (PID: 6700)

    • Process uninstalls Windows update

      • wusa.exe (PID: 8068)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Potential Corporate Privacy Violation

      • conhost.exe (PID: 9076)

    • Connects to unusual port

      • conhost.exe (PID: 9076)
      • playalacch.exe (PID: 6068)

    • Process drops python dynamic module

      • WinService.exe (PID: 300)
      • WinService.exe (PID: 6572)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 8176)

    • Executing commands from a ".bat" file

      • WinService.exe (PID: 4776)

    • The executable file from the user directory is run by the CMD process

      • WinService.exe (PID: 6572)

    • Application launched itself

      • WinService.exe (PID: 300)
      • WinService.exe (PID: 6572)

    • There is functionality for taking screenshot (YARA)

      • playalacch.exe (PID: 6068)
      • WinService.exe (PID: 6572)
      • WinService.exe (PID: 5308)

    • Uses REG/REGEDIT.EXE to modify registry

      • sept.exe (PID: 8344)
      • putsibdjzarh.exe (PID: 1804)

    • Starts itself from another location

      • sept.exe (PID: 8344)

    • Found regular expressions for crypto-addresses (YARA)

      • WinService.exe (PID: 5308)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 7308)

    • Application launched itself

      • msedge.exe (PID: 7312)

    • Reads the computer name

      • identity_helper.exe (PID: 7308)
      • Setup.exe (PID: 8888)

    • The sample compiled with english language support

      • msedge.exe (PID: 7312)
      • Setup.exe (PID: 8888)
      • WinRAR.exe (PID: 8408)
      • WinRAR.exe (PID: 9044)
      • WinService.exe (PID: 300)
      • WinService.exe (PID: 6572)
      • msedge.exe (PID: 8844)

    • Checks supported languages

      • Setup.exe (PID: 8888)
      • wmplayer.exe (PID: 6700)
      • identity_helper.exe (PID: 7308)

    • Reads the software policy settings

      • slui.exe (PID: 5608)

    • The sample compiled with japanese language support

      • wmplayer.exe (PID: 6700)

    • Manual execution by a user

      • WinRAR.exe (PID: 3888)
      • Installer.exe (PID: 8408)
      • WinRAR.exe (PID: 9044)
      • WinRAR.exe (PID: 8408)
      • Setup.exe (PID: 8888)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 9044)
      • msedge.exe (PID: 8844)
      • WinRAR.exe (PID: 8408)

    • UPX packer has been detected

      • conhost.exe (PID: 9076)

    • PyInstaller has been detected (YARA)

      • WinService.exe (PID: 6572)
      • WinService.exe (PID: 5308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6068) playalacch.exe
C2 (1)51.195.206.227:38719
BotnetTgFilecr
Options
ErrorMessage
Keys
XorRyper
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
224
Monitored processes
88
Malicious processes
13
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe setup.exe conhost.exe no specs THREAT wmplayer.exe msedge.exe no specs msedge.exe no specs slui.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs #MINER conhost.exe wusa.exe no specs #MINER svchost.exe winrar.exe no specs msedge.exe no specs winrar.exe installer.exe winservice.exe sept.exe #REDLINE playalacch.exe winservice.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs winservice.exe winservice.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs putsibdjzarh.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\WinService.exe" C:\Users\admin\AppData\Local\Temp\WinService.exe
Installer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\winservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5672 --field-trial-handle=2732,i,16374731680786518204,10356173785098948640,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056C:\WINDOWS\system32\conhost.exeC:\Windows\System32\conhost.exeputsibdjzarh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
1168C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1228"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6508 --field-trial-handle=2732,i,16374731680786518204,10356173785098948640,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5404 --field-trial-handle=2732,i,16374731680786518204,10356173785098948640,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804"C:\Users\admin\AppData\Roaming\fwrnugmlimyc\putsibdjzarh.exe"C:\Users\admin\AppData\Roaming\fwrnugmlimyc\putsibdjzarh.exesept.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\fwrnugmlimyc\putsibdjzarh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1288 --field-trial-handle=2732,i,16374731680786518204,10356173785098948640,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 425
Read events
17 366
Write events
59
Delete events
0

Modification events

(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7312) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
6331A13333922F00
(PID) Process:(7312) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
4EEDB03333922F00
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197456
Operation:writeName:WindowTabManagerFileMappingId
Value:
{689E1119-F985-49B7-B2FE-321DB10380D4}
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197456
Operation:writeName:WindowTabManagerFileMappingId
Value:
{3EAFFE2F-EA1A-4EE0-96B8-EAD8DF1E0FDA}
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197456
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7C632391-BBEC-479A-AE78-B23EDD1A77F5}
(PID) Process:(7312) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197456
Operation:writeName:WindowTabManagerFileMappingId
Value:
{BDE04EFD-CE60-4D58-86C9-77330A5BF17B}
Executable files
108
Suspicious files
457
Text files
73
Unknown types
0

Dropped files

PID
Process
Filename
Type
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10baf5.TMP
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10baf5.TMP
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10baf5.TMP
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10baf5.TMP
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10bb43.TMP
MD5:
SHA256:
7312msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
292
DNS requests
341
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5544
svchost.exe
HEAD
200
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1746054376&P2=404&P3=2&P4=i2UWeI%2fnRwHtBdbOCk%2bVdoB%2bteAreIVtUU3GPqQyVvj%2fjysReszQ6sRowbAi6ayD%2fYOLERNCCjkeVsG7qcdgFQ%3d%3d
unknown
whitelisted
2420
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5544
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1746054376&P2=404&P3=2&P4=i2UWeI%2fnRwHtBdbOCk%2bVdoB%2bteAreIVtUU3GPqQyVvj%2fjysReszQ6sRowbAi6ayD%2fYOLERNCCjkeVsG7qcdgFQ%3d%3d
unknown
whitelisted
5544
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1746054376&P2=404&P3=2&P4=i2UWeI%2fnRwHtBdbOCk%2bVdoB%2bteAreIVtUU3GPqQyVvj%2fjysReszQ6sRowbAi6ayD%2fYOLERNCCjkeVsG7qcdgFQ%3d%3d
unknown
whitelisted
2420
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5544
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1746054376&P2=404&P3=2&P4=i2UWeI%2fnRwHtBdbOCk%2bVdoB%2bteAreIVtUU3GPqQyVvj%2fjysReszQ6sRowbAi6ayD%2fYOLERNCCjkeVsG7qcdgFQ%3d%3d
unknown
whitelisted
5544
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1746054376&P2=404&P3=2&P4=i2UWeI%2fnRwHtBdbOCk%2bVdoB%2bteAreIVtUU3GPqQyVvj%2fjysReszQ6sRowbAi6ayD%2fYOLERNCCjkeVsG7qcdgFQ%3d%3d
unknown
whitelisted
5544
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1746054376&P2=404&P3=2&P4=i2UWeI%2fnRwHtBdbOCk%2bVdoB%2bteAreIVtUU3GPqQyVvj%2fjysReszQ6sRowbAi6ayD%2fYOLERNCCjkeVsG7qcdgFQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7612
msedge.exe
104.17.151.117:443
www.mediafire.com
whitelisted
7312
msedge.exe
239.255.255.250:1900
whitelisted
7612
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7612
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7612
msedge.exe
13.107.253.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7612
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 95.101.149.131
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
www.mediafire.com
  • 104.17.151.117
  • 104.17.150.117
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.22.242.105
  • 2.22.242.11
whitelisted

Threats

PID
Process
Class
Message
7612
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
7612
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
7612
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
7612
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
7612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7612
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
7612
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
7612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/qd62co1dl19znip/Setup.zip/file