File name:

FPSUnlocker_x64.exe

Full analysis: https://app.any.run/tasks/bfbcac4e-8726-44ad-93d2-9b8581e527f6
Verdict: Malicious activity
Analysis date: August 12, 2024, 10:10:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

042A9C355C8CB771EB7BE07DED4C0F30

SHA1:

0C89668954744AE7DEB917312BDBEA9DA4CC5EC7

SHA256:

9EA9CFB9C5DA423B4C2F6AB49277765DF102A456888FAA52A6F95BFEB46B4A57

SSDEEP:

393216:7e+pzSeCRc6o4KJZXb7hYT1i1mXdKJrbsdC8NFh6YQO5EwwJXz93pxzAd4:77zSwZ4uZX81YK+rbQf0Ea5xEq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1132)

    • Changes powershell execution policy (Unrestricted)

      • cmd.exe (PID: 4704)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FPSUnlocker_x64.exe (PID: 6616)

    • Executable content was dropped or overwritten

      • FPSUnlocker_x64.exe (PID: 6616)

    • Process drops legitimate windows executable

      • FPSUnlocker_x64.exe (PID: 6616)

    • Drops the executable file immediately after the start

      • FPSUnlocker_x64.exe (PID: 6616)

    • The process creates files with name similar to system file names

      • FPSUnlocker_x64.exe (PID: 6616)

    • Reads security settings of Internet Explorer

      • FPSUnlocker_x64.exe (PID: 6616)
      • installer.exe (PID: 6444)

    • Creates a software uninstall entry

      • FPSUnlocker_x64.exe (PID: 6616)

    • Application launched itself

      • Setup.exe (PID: 6388)

    • Drops 7-zip archiver for unpacking

      • FPSUnlocker_x64.exe (PID: 6616)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 5880)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4704)
      • cmd.exe (PID: 7892)

    • Checks Windows Trust Settings

      • installer.exe (PID: 6444)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7900)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2804)
      • cscript.exe (PID: 5944)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2804)
      • cscript.exe (PID: 5944)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 5944)
      • cscript.exe (PID: 2804)

    • Writes binary data to a Stream object (SCRIPT)

      • cscript.exe (PID: 2804)

  • INFO

    • Create files in a temporary directory

      • FPSUnlocker_x64.exe (PID: 6616)
      • Setup.exe (PID: 6388)
      • Setup.exe (PID: 5880)

    • Checks supported languages

      • FPSUnlocker_x64.exe (PID: 6616)
      • Setup.exe (PID: 6388)
      • installer.exe (PID: 6444)
      • Setup.exe (PID: 5880)
      • Setup.exe (PID: 6752)
      • Setup.exe (PID: 6732)
      • identity_helper.exe (PID: 6332)
      • pwahelper.exe (PID: 7844)

    • Reads the computer name

      • FPSUnlocker_x64.exe (PID: 6616)
      • Setup.exe (PID: 6388)
      • installer.exe (PID: 6444)
      • Setup.exe (PID: 6732)
      • Setup.exe (PID: 6752)
      • identity_helper.exe (PID: 6332)
      • Setup.exe (PID: 5880)
      • pwahelper.exe (PID: 7844)

    • Creates files or folders in the user directory

      • FPSUnlocker_x64.exe (PID: 6616)
      • Setup.exe (PID: 6388)
      • installer.exe (PID: 6444)
      • Setup.exe (PID: 6752)

    • Creates files in the program directory

      • FPSUnlocker_x64.exe (PID: 6616)

    • Manual execution by a user

      • Setup.exe (PID: 232)
      • Setup.exe (PID: 6388)
      • msedge.exe (PID: 7172)

    • Reads product name

      • Setup.exe (PID: 6388)
      • Setup.exe (PID: 5880)

    • Reads Environment values

      • Setup.exe (PID: 6388)
      • Setup.exe (PID: 5880)
      • identity_helper.exe (PID: 6332)

    • Checks proxy server information

      • Setup.exe (PID: 6388)
      • installer.exe (PID: 6444)

    • Process checks computer location settings

      • Setup.exe (PID: 5880)
      • Setup.exe (PID: 6388)

    • Reads the machine GUID from the registry

      • installer.exe (PID: 6444)

    • Reads the software policy settings

      • installer.exe (PID: 6444)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 5040)
      • msedge.exe (PID: 7172)
      • installer.exe (PID: 6444)

    • Application launched itself

      • msedge.exe (PID: 7172)
      • msedge.exe (PID: 5040)

    • Gets the execution policy for the powershell session

      • cmd.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5944)
      • cscript.exe (PID: 2804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.2.0
ProductVersionNumber: 1.0.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: -
FileVersion: 1.0.2
LegalCopyright: Copyright © 2022 Setup
ProductName: Setup
ProductVersion: 1.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
79
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fpsunlocker_x64.exe setup.exe no specs setup.exe installer.exe conhost.exe no specs setup.exe no specs setup.exe no specs setup.exe comppkgsrv.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs systeminfo.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs tiworker.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cscript.exe no specs conhost.exe no specs cscript.exe no specs conhost.exe no specs cscript.exe no specs conhost.exe no specs cscript.exe no specs conhost.exe no specs pwahelper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs fpsunlocker_x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Windows\PrivacyProtectorLog\Setup.exe" C:\Windows\PrivacyProtectorLog\Setup.exeexplorer.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Version:
1.0.2
Modules
Images
c:\windows\privacyprotectorlog\setup.exe
c:\windows\system32\ntdll.dll
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2292,i,12477410231559654999,136124600261261350,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
360"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app-id=mjoklplbddabcmpepnokjaffbmgbkkgg --app-launch-source=28 --profile-directory=Default --ip-proc-id=7844 --ip-binding --mojo-named-platform-channel-pipe=7844.8024.11491568593657416985 --ip-aumid=github.com-8B11BEB2_2t1n1bqhyggy0!AppC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exepwahelper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1108"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7636 --field-trial-handle=2292,i,12477410231559654999,136124600261261350,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132C:\WINDOWS\system32\cmd.exe /d /s /c "SCHTASKS /Create /TN "Updater_PrivacyBlocker_PR1" /SC HOURLY /TR "powershell -File C:/Windows/System32/PrivacyBlockerWindows.ps1" /RL HIGHEST /MO 4 /RU System /ST 10:14"C:\Windows\System32\cmd.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2292,i,12477410231559654999,136124600261261350,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2152"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7660 --field-trial-handle=2292,i,12477410231559654999,136124600261261350,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2384SCHTASKS /Create /TN "Updater_PrivacyBlocker_PR1" /SC HOURLY /TR "powershell -File C:/Windows/System32/PrivacyBlockerWindows.ps1" /RL HIGHEST /MO 4 /RU System /ST 10:14C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2804cscript.exe //Nologo resources\regedit\vbs\regPutValue.wsf AC:\Windows\System32\cscript.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
2
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
38 297
Read events
38 128
Write events
148
Delete events
21

Modification events

(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:InstallLocation
Value:
C:\Windows\PrivacyProtectorLog
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:InstallLocation
Value:
C:\Windows\PrivacyProtectorLog
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:InstallLocation
Value:
C:\Windows\PrivacyProtectorLog
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:ShortcutName
Value:
Setup
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:DisplayName
Value:
Setup 1.0.2
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:UninstallString
Value:
"C:\Windows\PrivacyProtectorLog\Uninstall Setup.exe" /allusers
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:QuietUninstallString
Value:
"C:\Windows\PrivacyProtectorLog\Uninstall Setup.exe" /allusers /S
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:DisplayVersion
Value:
1.0.2
(PID) Process:(6616) FPSUnlocker_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eb1a0fbb-fc70-428e-97f1-fa7080894806
Operation:writeName:DisplayIcon
Value:
C:\Windows\PrivacyProtectorLog\Setup.exe,0
Executable files
34
Suspicious files
722
Text files
271
Unknown types
11

Dropped files

PID
Process
Filename
Type
6616FPSUnlocker_x64.exeC:\Users\admin\AppData\Local\Temp\nsn75E8.tmp\app-64.7z
MD5:
SHA256:
6616FPSUnlocker_x64.exeC:\Windows\PrivacyProtectorLog\icudtl.dat
MD5:
SHA256:
6616FPSUnlocker_x64.exeC:\Windows\PrivacyProtectorLog\LICENSES.chromium.html
MD5:
SHA256:
6616FPSUnlocker_x64.exeC:\Users\admin\AppData\Local\Temp\nsn75E8.tmp\nsis7z.dllexecutable
MD5:80E44CE4895304C6A3A831310FBF8CD0
SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
6616FPSUnlocker_x64.exeC:\Users\admin\AppData\Local\Temp\nsn75E8.tmp\SpiderBanner.dllexecutable
MD5:17309E33B596BA3A5693B4D3E85CF8D7
SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
6616FPSUnlocker_x64.exeC:\Windows\PrivacyProtectorLog\chrome_100_percent.pakpgc
MD5:A59EA69D64BF4F748401DC5A46A65854
SHA256:F1A935DB8236203CBC1DCBB9672D98E0BD2FA514429A3F2F82A26E0EB23A4FF9
6616FPSUnlocker_x64.exeC:\Windows\PrivacyProtectorLog\chrome_200_percent.pakbinary
MD5:1985B8FC603DB4D83DF72CFAEEAC7C50
SHA256:7F9DED50D81C50F9C6ED89591FA621FABBD45CEF150C8AABCCEB3B7A9DE5603B
6616FPSUnlocker_x64.exeC:\Users\admin\AppData\Local\Temp\nsn75E8.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
6616FPSUnlocker_x64.exeC:\Windows\PrivacyProtectorLog\locales\es-419.pakbinary
MD5:0B89989B12AE136F25993EC03DBEC13C
SHA256:2786809AB8FEC0874955F37130FA3B0D0EDD2AE1500B052E78DCE583A9883AC7
6616FPSUnlocker_x64.exeC:\Windows\PrivacyProtectorLog\LICENSE.electron.txttext
MD5:45574510C534A8195F53B30E3810239E
SHA256:C44607A865E7A6DB05552BAA0EF71F9887D96ACD00D123854B44996BC27C0E33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
130
DNS requests
144
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8400
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/86757d86-0ea1-4096-82da-5ef4c7ce932f?P1=1724055097&P2=404&P3=2&P4=j%2fBsiBMeZyjWwYNeJQDYvHnh%2bZ8tAQlwZuzEOT%2b96X3xKEKcSOchdmwpiovWMXxTyG3497nz4vNkU%2bxzqcD09w%3d%3d
US
binary
17.6 Kb
whitelisted
8400
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1723476905&P2=404&P3=2&P4=NuM18PMDRwP0ConiGWF8pYDTct%2fzPG2KVhQ8m9cmrjvOUkEU5sScTZOjWx1z9N%2fJ%2bl2ow%2b%2bwHf1Ne4%2f%2buMxuRw%3d%3d
US
binary
3.04 Kb
whitelisted
8400
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/86757d86-0ea1-4096-82da-5ef4c7ce932f?P1=1724055097&P2=404&P3=2&P4=j%2fBsiBMeZyjWwYNeJQDYvHnh%2bZ8tAQlwZuzEOT%2b96X3xKEKcSOchdmwpiovWMXxTyG3497nz4vNkU%2bxzqcD09w%3d%3d
US
binary
31.4 Kb
whitelisted
8400
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/86757d86-0ea1-4096-82da-5ef4c7ce932f?P1=1724055097&P2=404&P3=2&P4=j%2fBsiBMeZyjWwYNeJQDYvHnh%2bZ8tAQlwZuzEOT%2b96X3xKEKcSOchdmwpiovWMXxTyG3497nz4vNkU%2bxzqcD09w%3d%3d
US
binary
8.74 Kb
whitelisted
8400
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/86757d86-0ea1-4096-82da-5ef4c7ce932f?P1=1724055097&P2=404&P3=2&P4=j%2fBsiBMeZyjWwYNeJQDYvHnh%2bZ8tAQlwZuzEOT%2b96X3xKEKcSOchdmwpiovWMXxTyG3497nz4vNkU%2bxzqcD09w%3d%3d
US
binary
71.4 Kb
whitelisted
8400
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/86757d86-0ea1-4096-82da-5ef4c7ce932f?P1=1724055097&P2=404&P3=2&P4=j%2fBsiBMeZyjWwYNeJQDYvHnh%2bZ8tAQlwZuzEOT%2b96X3xKEKcSOchdmwpiovWMXxTyG3497nz4vNkU%2bxzqcD09w%3d%3d
US
binary
46.6 Kb
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
6864
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
5484
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6840
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4088
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
104.126.37.160:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5484
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
  • 20.106.86.13
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.153
  • 104.126.37.155
  • 104.126.37.146
  • 104.126.37.154
  • 104.126.37.152
  • 104.126.37.162
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.131
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.137
  • 104.126.37.171
  • 104.126.37.163
  • 104.126.37.170
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.74
  • 40.126.32.72
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 104.126.37.128
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.137
  • 104.126.37.171
  • 104.126.37.161
  • 104.126.37.162
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.153
  • 104.126.37.170
  • 104.126.37.146
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
arc.msn.com
  • 20.31.169.57
  • 20.223.36.55
whitelisted
api.github.com
  • 140.82.121.5
whitelisted

Threats

PID
Process
Class
Message
7448
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7448
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7448
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
7448
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FPSUnlocker_x64.exe