URL:

limewire.com/d/PrWGr#ni2wgOOtfT

Full analysis: https://app.any.run/tasks/9158163a-3cc4-46f5-9ecb-e39075485739
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 16, 2025, 06:41:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zephyr
miner
evasion
github
xmrig
winring0x64-sys
vuln-driver
loader
Indicators:
MD5:

A30E01DC46BB450478C1685617F5672A

SHA1:

41EE4810101B653A255E56B631BEA2DB2AFA0A87

SHA256:

8FC0DFB5F5D593E65638760793FA5A2513C6D6B2C0CC5592C45BEEEC7B5A0B56

SSDEEP:

3:LbnKXX1P:fKVP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 7388)
      • cmd.exe (PID: 8028)
      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 1356)

    • ZEPHYR has been detected

      • printui.exe (PID: 984)
      • svchost.exe (PID: 724)

    • Starts CMD.EXE for self-deleting

      • printui.exe (PID: 984)

    • Adds path to the Windows Defender exclusion list

      • printui.exe (PID: 984)
      • cmd.exe (PID: 7872)
      • svchost.exe (PID: 724)
      • cmd.exe (PID: 7388)
      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 8028)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 7524)

    • Vulnerable driver has been detected

      • svchost.exe (PID: 724)

    • XMRig has been detected

      • x771025.dat (PID: 4880)
      • x771025.dat (PID: 6364)

    • Connects to the CnC server

      • x771025.dat (PID: 4880)
      • x771025.dat (PID: 6364)

    • MINER has been detected (SURICATA)

      • x771025.dat (PID: 6364)
      • svchost.exe (PID: 2200)
      • x771025.dat (PID: 4880)

    • XMRIG has been detected (YARA)

      • x771025.dat (PID: 6364)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1948)
      • printui.exe (PID: 984)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 7388)
      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 8028)

    • The process drops C-runtime libraries

      • printui.exe (PID: 984)

    • Creates a new Windows service

      • sc.exe (PID: 1204)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4080)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4080)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2124)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7964)
      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 7388)
      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 8028)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 7964)

    • Executable content was dropped or overwritten

      • printui.exe (PID: 984)
      • svchost.exe (PID: 724)

    • Starts CMD.EXE for commands execution

      • printui.exe (PID: 984)
      • console_zero.exe (PID: 7812)
      • svchost.exe (PID: 724)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5248)

    • Connects to unusual port

      • svchost.exe (PID: 724)
      • x771025.dat (PID: 4880)
      • x771025.dat (PID: 6364)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 724)
      • svchost.exe (PID: 2200)
      • x771025.dat (PID: 4880)
      • x771025.dat (PID: 6364)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • svchost.exe (PID: 724)

    • Drops a system driver (possible attempt to evade defenses)

      • svchost.exe (PID: 724)

    • Connects to the server without a host name

      • svchost.exe (PID: 724)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 2716)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 3852)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 1752)
      • msedge.exe (PID: 5600)

    • Reads the computer name

      • identity_helper.exe (PID: 7964)
      • identity_helper.exe (PID: 2532)

    • Checks supported languages

      • identity_helper.exe (PID: 7964)
      • identity_helper.exe (PID: 2532)

    • Reads Environment values

      • identity_helper.exe (PID: 7964)
      • identity_helper.exe (PID: 2532)

    • Manual execution by a user

      • WinRAR.exe (PID: 1948)
      • printui.exe (PID: 2288)
      • printui.exe (PID: 984)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1948)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1948)
      • printui.exe (PID: 984)

    • The sample compiled with japanese language support

      • svchost.exe (PID: 724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
98
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs winrar.exe printui.exe no specs #ZEPHYR printui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs console_zero.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs THREAT svchost.exe #MINER svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #MINER x771025.dat arp.exe no specs cmd.exe no specs conhost.exe no specs #MINER x771025.dat cmd.exe no specs conhost.exe no specs tmpz64.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436powershell -Command Add-MpPreference -ExclusionPath 'E:\'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
480"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4344,i,11232550194496850060,16879651309871711234,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4356,i,11415005298978217563,1695757626542620415,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
724C:\Windows\System32\svchost.exe -k DcomLaunchC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\x612477.dat
c:\windows\system32\advapi32.dll
984"C:\Users\admin\Downloads\entry_2_0\printui.exe" C:\Users\admin\Downloads\entry_2_0\printui.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change Printing Settings
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\downloads\entry_2_0\printui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x298,0x29c,0x2a0,0x28c,0x2a8,0x7ffc4338f208,0x7ffc4338f214,0x7ffc4338f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204sc create x612477 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1216powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1356cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'C:\Windows\System32\cmd.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1480"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2788,i,11415005298978217563,1695757626542620415,262144 --variations-seed-version --mojo-platform-channel-handle=2804 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
44 249
Read events
44 182
Write events
62
Delete events
5

Modification events

(PID) Process:(1752) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1752) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1752) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31186569
(PID) Process:(3520) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
24
Suspicious files
515
Text files
122
Unknown types
5

Dropped files

PID
Process
Filename
Type
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1766c8.TMP
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1766c8.TMP
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1766c8.TMP
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1766b9.TMP
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1766c8.TMP
MD5:
SHA256:
1752msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1766b9.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
151
DNS requests
123
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5764
svchost.exe
GET
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4c4fdee0-d69c-42b7-bf5c-3ec046e9dfc9?P1=1750173199&P2=404&P3=2&P4=leKnT%2buX4So30zqmfihmL%2b6qXCGJ7DmTxhGyB9f%2fyMY2w1U7nibMlG7CvY0hKZh44hy9kXwW%2fOhAuQl5Ye%2bMtg%3d%3d
unknown
whitelisted
5764
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9244b52a-55cc-41a2-b7c4-7f4983d8753c?P1=1750176797&P2=404&P3=2&P4=CRAIzCA%2bYga8txMIS1bpQKBHa%2fY3Wcgr6NSN5WFQpznbihNGPOU%2bUoZPKICeo43IybSMrEdqzRDVUD1Ip8pjyg%3d%3d
unknown
whitelisted
5764
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2ef98485-cbad-4d99-b4c2-cd4abac73fb4?P1=1750173194&P2=404&P3=2&P4=E9DjurfTUv8ugxieR8O0jFmZXwMFSrYjlBnt3aqQMO%2faDkl%2f2G4z2Albo78U7GXkQYk0h0ItAvOKm1VfMU8%2feg%3d%3d
unknown
whitelisted
5764
svchost.exe
GET
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9244b52a-55cc-41a2-b7c4-7f4983d8753c?P1=1750176797&P2=404&P3=2&P4=CRAIzCA%2bYga8txMIS1bpQKBHa%2fY3Wcgr6NSN5WFQpznbihNGPOU%2bUoZPKICeo43IybSMrEdqzRDVUD1Ip8pjyg%3d%3d
unknown
whitelisted
5764
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/46df2db5-82ac-46a7-9d9e-cf1580d73a96?P1=1750286313&P2=404&P3=2&P4=VMFIddrDhzoDVZUD0SKzjziTdHm3ALIOUZf04uOynRlYeU%2fwFqJPlMwQMpHIU2UthFep0WsdJCTWmswZtP6Swg%3d%3d
unknown
whitelisted
5764
svchost.exe
GET
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2ef98485-cbad-4d99-b4c2-cd4abac73fb4?P1=1750173194&P2=404&P3=2&P4=E9DjurfTUv8ugxieR8O0jFmZXwMFSrYjlBnt3aqQMO%2faDkl%2f2G4z2Albo78U7GXkQYk0h0ItAvOKm1VfMU8%2feg%3d%3d
unknown
whitelisted
764
lsass.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
5764
svchost.exe
GET
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/46df2db5-82ac-46a7-9d9e-cf1580d73a96?P1=1750286313&P2=404&P3=2&P4=VMFIddrDhzoDVZUD0SKzjziTdHm3ALIOUZf04uOynRlYeU%2fwFqJPlMwQMpHIU2UthFep0WsdJCTWmswZtP6Swg%3d%3d
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4868
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6892
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6892
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6892
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6892
msedge.exe
172.67.26.165:443
limewire.com
CLOUDFLARENET
US
unknown
6892
msedge.exe
2.23.227.211:443
copilot.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
limewire.com
  • 172.67.26.165
  • 104.22.37.240
  • 104.22.36.240
unknown
copilot.microsoft.com
  • 2.23.227.211
  • 2.23.227.199
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
js.stripe.com
  • 18.66.147.84
  • 18.66.147.118
  • 18.66.147.47
  • 18.66.147.115
whitelisted
api.limewire.com
  • 104.22.36.240
  • 104.22.37.240
  • 172.67.26.165
unknown
www.googletagmanager.com
  • 172.217.16.200
whitelisted
o4505008135340032.ingest.sentry.io
  • 34.120.195.249
whitelisted

Threats

PID
Process
Class
Message
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
724
svchost.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
limewire.com/d/PrWGr#ni2wgOOtfT