File name:

8yhY.zip

Full analysis: https://app.any.run/tasks/99c9c8ff-449b-42f8-a270-6efe01c99fdb
Verdict: Malicious activity
Analysis date: May 14, 2025, 00:08:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ateraagent
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

731744E0A108A307BAA798896F789F9B

SHA1:

4B90966D7CB37D301EC3887E456B7643133F3C56

SHA256:

9730CB1D40459EDF34C609445675C89CF568F8EC3290925BDE194B030C53BE67

SSDEEP:

98304:ZoW7k4vnXOQRh46w3RbEjCTuFS+OQXndiuaJzytSbNmaAQ3VlKKvjKOBvzeLj74D:H6m/rEu4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6184)

    • Executing a file with an untrusted certificate

      • msedgewebview2.exe (PID: 1196)
      • msedgewebview2.exe (PID: 6136)

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 2344)
      • net.exe (PID: 5776)

    • ATERAAGENT has been detected (YARA)

      • msiexec.exe (PID: 660)
      • msiexec.exe (PID: 2096)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4572)

    • Changes powershell execution policy (Bypass)

      • AgentPackageAgentInformation.exe (PID: 1300)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6184)
      • msiexec.exe (PID: 2096)
      • msedgewebview2.exe (PID: 6136)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4336)
      • msedgewebview2.exe (PID: 6136)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 6108)
      • AgentPackageAgentInformation.exe (PID: 2084)
      • msedgewebview2.exe (PID: 6136)
      • AgentPackageAgentInformation.exe (PID: 4528)
      • AgentPackageMonitoring.exe (PID: 5544)
      • AgentPackageAgentInformation.exe (PID: 1300)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 928)
      • rundll32.exe (PID: 6108)
      • rundll32.exe (PID: 2564)
      • msedgewebview2.exe (PID: 6136)
      • csc.exe (PID: 5132)
      • rundll32.exe (PID: 2288)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 2344)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5132)

    • The process bypasses the loading of PowerShell profile settings

      • AgentPackageAgentInformation.exe (PID: 1300)

    • The process executes Powershell scripts

      • AgentPackageAgentInformation.exe (PID: 1300)
      • cmd.exe (PID: 5528)

    • Starts POWERSHELL.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 1300)
      • cmd.exe (PID: 5528)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 1300)

    • The process executes VB scripts

      • cmd.exe (PID: 2664)

    • Restarts service on failure

      • sc.exe (PID: 4436)

    • Starts SC.EXE for service management

      • msedgewebview2.exe (PID: 6136)

    • Executes application which crashes

      • cscript.exe (PID: 4784)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6184)
      • msiexec.exe (PID: 2096)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 660)

    • Manual execution by a user

      • msiexec.exe (PID: 660)

    • Checks proxy server information

      • msiexec.exe (PID: 660)

    • Reads the software policy settings

      • msiexec.exe (PID: 660)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 660)

    • Reads the computer name

      • msiexec.exe (PID: 2096)

    • Checks supported languages

      • msiexec.exe (PID: 2096)

    • The sample compiled with english language support

      • rundll32.exe (PID: 928)
      • rundll32.exe (PID: 6108)
      • rundll32.exe (PID: 2564)
      • rundll32.exe (PID: 2288)
      • msedgewebview2.exe (PID: 6136)

    • Manages system restore points

      • SrTasks.exe (PID: 732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:02:04 11:53:42
ZipCRC: 0x79aa3ea2
ZipCompressedSize: 2736641
ZipUncompressedSize: 2994176
ZipFileName: MsEdge.msi
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
47
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe #ATERAAGENT msiexec.exe #ATERAAGENT msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs msedgewebview2.exe msedgewebview2.exe sc.exe no specs conhost.exe no specs rundll32.exe agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs agentpackagemonitoring.exe conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msxml6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll
660"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\Desktop\MsEdge.msi" C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAgentPackageMonitoring.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
736"TaskKill.exe" /f /im AteraAgent.exeC:\Windows\SysWOW64\taskkill.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
928rundll32.exe "C:\WINDOWS\Installer\MSI466E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1132171 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196"C:\Program Files (x86)\MsEdge\MsEdge\msedgewebview2.exe" /i /IntegratorLogin="otavioalveseventos@gmail.com" /CompanyId="3" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O07oVIAR" /AgentId="d110279f-41ab-4dfe-833f-2fa176154b39"C:\Program Files (x86)\MsEdge\MsEdge\msedgewebview2.exe
msiexec.exe
User:
admin
Company:
MsEdgeNetworks Ltd.
Integrity Level:
MEDIUM
Description:
msedgewebview2
Exit code:
0
Version:
1.8.7.2
Modules
Images
c:\program files (x86)\msedge\msedge\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
50 121
Read events
49 721
Write events
375
Delete events
25

Modification events

(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\8yhY.zip
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF57010000480000001705000031020000
(PID) Process:(6184) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
65
Suspicious files
56
Text files
31
Unknown types
0

Dropped files

PID
Process
Filename
Type
2096msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6184WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6184.16411\MsEdge.msiexecutable
MD5:9066E4D45909572278164AEB1996375B
SHA256:BDEDCFC003752FEF80195B9031D07F4B6F35A8290DFCBF8D423D01F16255FEBC
660msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:EFE7CC34702C713A1E86E32C9AE5F5E5
SHA256:D396547758663B74DB903F15D5638F24B649DB5E0006F761A45DB6DA1FFE6F39
660msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:74B57365473002B71602838B66073C62
SHA256:8766AC0115DB4FD65CF74EDD6639374919D7401FBB112D596600A83CA15A8A96
2564rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI3CF6.tmp-\AlphaControlAgentInstallation.dllexecutable
MD5:AA1B9C5C685173FAD2DABEBEB3171F01
SHA256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
660msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:E9AD130935D9E3EF0C6D13682836CD97
SHA256:E0F5878CCFC2785084FBC02238A5F31E9C6E88358040E184BF00DAD1DDD05F52
660msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:B7C8CBE5828096CFA047B5AD40181C1C
SHA256:B9E275E3979B99AFE4AE1EE696692BD7E2795A142AD18290253F3CE72057BB25
2096msiexec.exeC:\Windows\Installer\11394d.msiexecutable
MD5:9066E4D45909572278164AEB1996375B
SHA256:BDEDCFC003752FEF80195B9031D07F4B6F35A8290DFCBF8D423D01F16255FEBC
2564rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI3CF6.tmp-\Newtonsoft.Json.dllexecutable
MD5:715A1FBEE4665E99E859EDA667FE8034
SHA256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
2096msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:F8B8387A1CC48C4D909FD5870B6C4036
SHA256:50667A65343456941BADAF58EDC678CEDC6DF37CADF2505C7536899824C4AD4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
51
DNS requests
27
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
660
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
660
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
660
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
whitelisted
6712
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6712
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
104.119.109.218:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
104.119.109.218:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 184.24.77.12
  • 184.24.77.35
  • 184.24.77.6
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 104.119.109.218
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.64
  • 40.126.31.3
  • 20.190.159.71
  • 20.190.159.129
  • 20.190.159.73
  • 20.190.159.131
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted

Threats

PID
Process
Class
Message
6108
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
2084
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
4528
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6136
msedgewebview2.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\MsEdge\MsEdge\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8yhY.zip