URL:

https://www.zenshield.com/locations/free-scotland-vpn

Full analysis: https://app.any.run/tasks/6945bb1a-cfe0-4953-8fe2-4762080f3c59
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 24, 2025, 00:23:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
nodejs
loader
Indicators:
MD5:

0CBA66E3BF1E383B04FECDFC435B1A40

SHA1:

CEA5F376B7E9308F23E8216345E662CCE45D4022

SHA256:

B060F2F3E71A24DA933DF35C00FB164B795F4644F3D1316F84DA4C30D6521668

SSDEEP:

3:N8DSLoDOREGEEYXVR1:2OLoDORETEmj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • The process creates files with name similar to system file names

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • Executable content was dropped or overwritten

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • Get information on the list of running processes

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • cmd.exe (PID: 828)

    • Starts CMD.EXE for commands execution

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Drops 7-zip archiver for unpacking

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • Process drops legitimate windows executable

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • Reads security settings of Internet Explorer

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • Creates a software uninstall entry

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • There is functionality for taking screenshot (YARA)

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • zenshield-vpn.exe (PID: 8136)

    • Application launched itself

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)
      • updater.exe (PID: 4196)

    • Uses WMIC.EXE to obtain network information

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Checks for external IP

      • zenshield-vpn.exe (PID: 304)
      • svchost.exe (PID: 2200)
      • zenshield-vpn.exe (PID: 7704)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7744)
      • cmd.exe (PID: 1944)

    • Connects to unusual port

      • zenshield-vpn.exe (PID: 3400)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)
      • zenshield-vpn.exe (PID: 7596)

    • Process requests binary or script from the Internet

      • zenshield-vpn.exe (PID: 7704)

    • The process executes via Task Scheduler

      • updater.exe (PID: 4196)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 7588)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Application launched itself

      • msedge.exe (PID: 4744)

    • The sample compiled with english language support

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)

    • Checks supported languages

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • identity_helper.exe (PID: 7588)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 8136)
      • zenshield-vpn.exe (PID: 3400)
      • zenshield-vpn.exe (PID: 7676)
      • chcp.com (PID: 7528)
      • zenshield-vpn.exe (PID: 7704)
      • zenshield-vpn.exe (PID: 7596)
      • zenshield-vpn.exe (PID: 2216)
      • zenshield-vpn.exe (PID: 5352)
      • chcp.com (PID: 7768)
      • updater.exe (PID: 4196)
      • updater.exe (PID: 5596)
      • zenshield-vpn.exe (PID: 6420)
      • zenshield-vpn.exe (PID: 1944)

    • Reads the computer name

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • identity_helper.exe (PID: 7588)
      • zenshield-vpn.exe (PID: 3400)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 8136)
      • zenshield-vpn.exe (PID: 7704)
      • zenshield-vpn.exe (PID: 5352)
      • zenshield-vpn.exe (PID: 7596)
      • updater.exe (PID: 4196)
      • zenshield-vpn.exe (PID: 6420)
      • zenshield-vpn.exe (PID: 1944)

    • Create files in a temporary directory

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4744)

    • Creates files or folders in the user directory

      • zenshield-vpn-1.0.22-setup.exe (PID: 7924)
      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 3400)
      • zenshield-vpn.exe (PID: 7704)
      • zenshield-vpn.exe (PID: 6420)

    • Reads product name

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Process checks computer location settings

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7676)
      • zenshield-vpn.exe (PID: 7704)
      • zenshield-vpn.exe (PID: 2216)

    • Reads the machine GUID from the registry

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)
      • zenshield-vpn.exe (PID: 6420)
      • zenshield-vpn.exe (PID: 1944)

    • Checks proxy server information

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)
      • slui.exe (PID: 8016)

    • Manual execution by a user

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7596)
      • WMIC.exe (PID: 7912)
      • WMIC.exe (PID: 7304)
      • WMIC.exe (PID: 7996)
      • WMIC.exe (PID: 3052)
      • WMIC.exe (PID: 7708)
      • WMIC.exe (PID: 5288)
      • WMIC.exe (PID: 1156)
      • WMIC.exe (PID: 3844)
      • WMIC.exe (PID: 7772)
      • WMIC.exe (PID: 7560)
      • WMIC.exe (PID: 5352)
      • WMIC.exe (PID: 7720)
      • WMIC.exe (PID: 3940)
      • WMIC.exe (PID: 5504)
      • WMIC.exe (PID: 7564)
      • WMIC.exe (PID: 7900)
      • WMIC.exe (PID: 6572)
      • WMIC.exe (PID: 2076)
      • WMIC.exe (PID: 6232)
      • WMIC.exe (PID: 3644)
      • WMIC.exe (PID: 7696)
      • WMIC.exe (PID: 5372)
      • WMIC.exe (PID: 7360)
      • WMIC.exe (PID: 7416)
      • WMIC.exe (PID: 6128)
      • WMIC.exe (PID: 4060)
      • WMIC.exe (PID: 3644)
      • WMIC.exe (PID: 2992)
      • WMIC.exe (PID: 7512)
      • WMIC.exe (PID: 7744)
      • WMIC.exe (PID: 7340)
      • WMIC.exe (PID: 7332)
      • WMIC.exe (PID: 2992)
      • WMIC.exe (PID: 6772)
      • WMIC.exe (PID: 5824)
      • WMIC.exe (PID: 7360)
      • WMIC.exe (PID: 3940)
      • WMIC.exe (PID: 1468)
      • WMIC.exe (PID: 5612)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7744)
      • cmd.exe (PID: 1944)

    • Reads CPU info

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 7704)

    • Node.js compiler has been detected

      • zenshield-vpn.exe (PID: 304)
      • zenshield-vpn.exe (PID: 8136)
      • zenshield-vpn.exe (PID: 3400)
      • zenshield-vpn.exe (PID: 7676)

    • Reads the software policy settings

      • slui.exe (PID: 8016)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
291
Monitored processes
141
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs zenshield-vpn-1.0.22-setup.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs slui.exe zenshield-vpn.exe zenshield-vpn.exe no specs zenshield-vpn.exe zenshield-vpn.exe no specs svchost.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs zenshield-vpn.exe zenshield-vpn.exe no specs zenshield-vpn.exe zenshield-vpn.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs updater.exe no specs updater.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs zenshield-vpn.exe no specs msedge.exe no specs zenshield-vpn.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Users\admin\AppData\Local\Programs\zenshield-vpn\zenshield-vpn.exe" C:\Users\admin\AppData\Local\Programs\zenshield-vpn\zenshield-vpn.exe
explorer.exe
User:
admin
Company:
Geonode Pte Ltd
Integrity Level:
MEDIUM
Description:
ZenShield VPN
Version:
1.0.22
Modules
Images
c:\users\admin\appdata\local\programs\zenshield-vpn\zenshield-vpn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\dbghelp.dll
424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
828cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq zenshield-vpn.exe" | %SYSTEMROOT%\System32\find.exe "zenshield-vpn.exe"C:\Windows\SysWOW64\cmd.exezenshield-vpn-1.0.22-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1156wmic nic where "NetConnectionID = 'Connection'" get MACAddress /valueC:\Windows\System32\wbem\WMIC.exezenshield-vpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1284"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7548,i,3502740666160125314,387431145079642499,262144 --variations-seed-version --mojo-platform-channel-handle=7856 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1468\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1468wmic nicconfig where "MACAddress = '0A:FD:E6:BB:E4:17'" get DefaultIPGateway /valueC:\Windows\System32\wbem\WMIC.exezenshield-vpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1632"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x304,0x308,0x30c,0x2fc,0x314,0x7ffc43cbf208,0x7ffc43cbf214,0x7ffc43cbf220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944C:\WINDOWS\system32\cmd.exe /d /s /c "chcp"C:\Windows\System32\cmd.exezenshield-vpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
34 677
Read events
34 582
Write events
41
Delete events
54

Modification events

(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4744) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
2E34A11F38992F00
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\590632
Operation:writeName:WindowTabManagerFileMappingId
Value:
{5C490A3D-FE32-401C-853A-F704B2A40987}
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\590632
Operation:writeName:WindowTabManagerFileMappingId
Value:
{C7061A91-E307-4E12-AAEC-9FCE49483951}
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\590632
Operation:writeName:WindowTabManagerFileMappingId
Value:
{050FC0AD-F62A-4653-A7C3-A859B70C8498}
(PID) Process:(4744) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
E935E71F38992F00
(PID) Process:(4744) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Executable files
23
Suspicious files
313
Text files
106
Unknown types
172

Dropped files

PID
Process
Filename
Type
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF18d8f6.TMP
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF18d8f6.TMP
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF18d973.TMP
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF18d973.TMP
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF18d982.TMP
MD5:
SHA256:
4744msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
209
DNS requests
117
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3876
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:pHkdIe6vz-GydDxTjxFChob1S9vjC7RA2RhbPdU8vOA&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
101 b
whitelisted
3540
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
8168
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
408 b
whitelisted
8168
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
420 b
whitelisted
4744
msedge.exe
GET
200
23.50.131.149:80
http://crl.certum.pl/ctnca.crl
DE
binary
770 b
whitelisted
4744
msedge.exe
GET
200
23.50.131.150:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
DE
binary
1.52 Kb
whitelisted
4744
msedge.exe
GET
200
23.50.131.150:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
DE
binary
1.52 Kb
whitelisted
4744
msedge.exe
GET
200
23.50.131.150:80
http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQC78My1t7gx%2FSGuMneK5AyJ
DE
binary
1.80 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
828
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3876
msedge.exe
172.64.149.114:443
cdn.weglot.com
CLOUDFLARENET
US
shared
3876
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3876
msedge.exe
15.160.106.203:443
www.zenshield.com
AMAZON-02
IT
unknown
3876
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3876
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.zenshield.com
  • 15.160.106.203
  • 35.152.117.67
  • 15.161.34.42
unknown
copilot.microsoft.com
  • 92.123.104.53
  • 92.123.104.45
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.63
  • 92.123.104.32
  • 2.16.241.201
  • 2.16.241.218
whitelisted
cdn.prod.website-files.com
  • 104.18.160.117
  • 104.18.161.117
unknown
fonts.googleapis.com
  • 142.250.186.106
whitelisted
fonts.gstatic.com
  • 142.250.185.67
whitelisted

Threats

PID
Process
Class
Message
3876
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
3876
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
3876
msedge.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
3876
msedge.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
3876
msedge.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3876
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
3876
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
3876
msedge.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.zenshield.com/locations/free-scotland-vpn