File name:

Archive.zip

Full analysis: https://app.any.run/tasks/b77f5682-ab1f-4650-a5cd-5dcda5c145b0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 13, 2024, 16:31:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

BDF994856C1BF0576D91F85C00630F6C

SHA1:

11D661550B0D0D01DAE4BFFF5F66EF4CB377C01B

SHA256:

CCD156B93B34E49999F5917F27C88CEDE4118C48D9BCC9C9BB0D12E11804D672

SSDEEP:

98304:3OEi30NauNCrf0k1C94o7pfDQXBVQfJGtK/Nuxk1F1+fim7TNgSadzPg61I9n3Ev:ZCirpL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5276)

    • Changes powershell execution policy (Unrestricted)

      • cmd.exe (PID: 6736)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebview2Setup.exe (PID: 2888)
      • WinRAR.exe (PID: 5276)
      • MicrosoftEdgeUpdate.exe (PID: 6688)
      • MicrosoftEdgeUpdate.exe (PID: 6148)
      • MicrosoftEdge_X64_129.0.2792.89.exe (PID: 7112)
      • setup.exe (PID: 6908)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 2888)
      • MicrosoftEdgeUpdate.exe (PID: 6688)
      • DismHost.exe (PID: 6888)
      • DismHost.exe (PID: 4040)
      • DismHost.exe (PID: 608)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebview2Setup.exe (PID: 2888)
      • MicrosoftEdgeUpdate.exe (PID: 6688)
      • MicrosoftEdge_X64_129.0.2792.89.exe (PID: 7112)
      • Dism.exe (PID: 6968)
      • Dism.exe (PID: 3608)
      • Dism.exe (PID: 6976)
      • setup.exe (PID: 6908)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6688)

    • Potential Corporate Privacy Violation

      • MicrosoftEdgeUpdate.exe (PID: 6148)

    • Application launched itself

      • msedgewebview2.exe (PID: 6448)
      • setup.exe (PID: 6908)
      • MicrosoftEdgeUpdate.exe (PID: 6148)

    • Executing commands from a ".bat" file

      • VTRL_unpacked.exe (PID: 6228)

    • Starts CMD.EXE for commands execution

      • VTRL_unpacked.exe (PID: 6228)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6736)
      • cmd.exe (PID: 6420)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6736)
      • VTRL_unpacked.exe (PID: 6228)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6736)
      • VTRL_unpacked.exe (PID: 6228)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6420)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4316)

  • INFO

    • Manual execution by a user

      • MicrosoftEdgeWebview2Setup.exe (PID: 2888)
      • VTRL_unpacked.exe (PID: 5824)
      • VTRL_unpacked.exe (PID: 6228)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 5276)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5276)

    • Manages system restore points

      • SrTasks.exe (PID: 7524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:10:13 18:28:58
ZipCRC: 0x4298d6f9
ZipCompressedSize: 1560442
ZipUncompressedSize: 1664968
ZipFileName: MicrosoftEdgeWebview2Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
53
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe sppextcomobj.exe no specs slui.exe microsoftedge_x64_129.0.2792.89.exe setup.exe setup.exe no specs slui.exe microsoftedgeupdate.exe vtrl_unpacked.exe no specs vtrl_unpacked.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs svchost.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs dism.exe dismhost.exe tiworker.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs dism.exe dismhost.exe powershell.exe no specs dism.exe dismhost.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs shellexperiencehost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512sc config winmgmt start=autoC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
608C:\Users\admin\AppData\Local\Temp\9D043471-A743-4408-895E-F966D6A8A0C8\dismhost.exe {AD38451E-0BA2-4B04-8674-B8A1542AE87C}C:\Users\admin\AppData\Local\Temp\9D043471-A743-4408-895E-F966D6A8A0C8\DismHost.exe
Dism.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Host Servicing Process
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\9d043471-a743-4408-895e-f966d6a8a0c8\dismhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
632sc start wmiC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
864"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.25
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
944C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.89\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\cc.vtrl\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\cc.vtrl\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.101 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.89\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=129.0.2792.89 --initial-client-data=0x184,0x188,0x18c,0x160,0x194,0x7ffbc9aa8ee0,0x7ffbc9aa8eec,0x7ffbc9aa8ef8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.89\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Version:
129.0.2792.89
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\129.0.2792.89\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\129.0.2792.89\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'VTRL RESTORE POINT' C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1376C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1768reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1788"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.89\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL_unpacked.exe --webview-exe-version=2.2.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2400,i,9848404600961631923,3087909142676353933,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.89\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
129.0.2792.89
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\129.0.2792.89\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\129.0.2792.89\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 124
Read events
31 435
Write events
2 603
Delete events
86

Modification events

(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Archive.zip
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5276) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:psize
Value:
80
Executable files
360
Suspicious files
116
Text files
37
Unknown types
16

Dropped files

PID
Process
Filename
Type
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\MicrosoftEdgeUpdate.exeexecutable
MD5:1509ED11B3781E023E9C0A491BFDAC80
SHA256:F626890B39920D9FA35EBCC31D448B75DF05FE4A7A424C2B5CEB95C7D61E5D71
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\MicrosoftEdgeComRegisterShellARM64.exeexecutable
MD5:D16DEAB532387BB817FCAA50B9BD8972
SHA256:BA27CA798445934D02BE72A0FAA198539DFA38E922C06BDD93EB3070EE12311B
5276WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5276.39270\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:A05C87DD1C5BEF14C7C75F48BF4D01EA
SHA256:274E12D01E0CAE083202DF4A809C1C153B02CB3CA121C19C43B0AAA1C3A53A40
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\msedgeupdate.dllexecutable
MD5:8A816664389165F11A9E50FE42671657
SHA256:09D9F52E86DDD5FB3391D7DD683C42A9FA9D03A2CEEE56B1273CCD42986B4851
5276WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5276.39579\VTRL_unpacked.exeexecutable
MD5:CE30BC18638AA4CC62E39989C24727B6
SHA256:6A57F62FC52D3DB1A5A2A3BA4EB4BFAF76CE7B7E589B0F15D924700ADADE078A
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeexecutable
MD5:8CDA2D501C51F0869A69D5951F2AEC5E
SHA256:208497513FF0C793E6DC0A9935D73DFC37887C875FE00AFF4DFAEB3854054D31
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\MicrosoftEdgeUpdateBroker.exeexecutable
MD5:A79F7F8BC9B419E4B18316B2770747E1
SHA256:1856E95BA698594D5DF6A589DEA635C114762BF40A7B43160069E47FFE5080F6
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\psuser.dllexecutable
MD5:0407DC1F6D634CE9B2891656814E77C5
SHA256:9172E1E9EC6BF144B9B38131FBE8401EB028E5428A890D46C0F45F5AF13F5561
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\psmachine_64.dllexecutable
MD5:D3CFF1EF3EF23D314C8736EDCE0D8E6D
SHA256:48937A055CE355CE8CC3E9D12758B2EF065991F163DA7342479292668042270F
2888MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUE2B8.tmp\MicrosoftEdgeUpdateOnDemand.exeexecutable
MD5:64309E5DDEF493FCD044041E31B44494
SHA256:43F54C9E85C0BBC86F9AACDAB40682E330D6D58BAD89A400FD6F609F72285FE2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
81
DNS requests
42
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
692
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4380
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2864
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6148
MicrosoftEdgeUpdate.exe
GET
200
23.32.238.105:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b53fa217-6f44-4585-a4ec-70ed35f2aa73?P1=1729441893&P2=404&P3=2&P4=JxSdkFNWti0o3a2kZHLwGZBpxxsLeKaB1oJzR9g8fjfMRGNXlKistqcjsbSGMMsfnrBg48Em27dVqPmcRHvFHg%3d%3d
unknown
whitelisted
7920
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2132f61f-f790-4ae6-a355-8cf9a1533800?P1=1729292485&P2=404&P3=2&P4=hPBpf7hI14qV8xTB4ZUP34beQI9fWg4wA4QPKQvJO6HLb05IoRBygJgxt3Q6KjSr8SUarSzF%2fB09hjz%2f4bT8hQ%3d%3d
unknown
whitelisted
2864
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7920
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2132f61f-f790-4ae6-a355-8cf9a1533800?P1=1729292485&P2=404&P3=2&P4=hPBpf7hI14qV8xTB4ZUP34beQI9fWg4wA4QPKQvJO6HLb05IoRBygJgxt3Q6KjSr8SUarSzF%2fB09hjz%2f4bT8hQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7056
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
184.86.251.8:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
692
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
692
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4360
SearchApp.exe
184.86.251.31:443
th.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 184.86.251.8
  • 184.86.251.11
  • 184.86.251.10
  • 184.86.251.14
  • 184.86.251.9
  • 184.86.251.18
  • 184.86.251.15
  • 184.86.251.13
  • 184.86.251.7
whitelisted
google.com
  • 172.217.23.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.133
whitelisted
th.bing.com
  • 184.86.251.31
  • 184.86.251.10
  • 184.86.251.9
  • 184.86.251.25
  • 184.86.251.30
  • 184.86.251.27
  • 184.86.251.5
  • 184.86.251.4
  • 184.86.251.7
whitelisted
go.microsoft.com
  • 23.213.166.81
  • 184.28.89.167
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
6148
MicrosoftEdgeUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2428
msedgewebview2.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2428
msedgewebview2.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\cc.vtrl directory exists )
Dism.exe
PID=6968 TID=3700 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=6968 TID=3700 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6968 TID=3700 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6968 TID=3700 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6968 TID=3700 Loading Provider from location C:\WINDOWS\system32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6968 TID=3700 Connecting to the provider located at C:\WINDOWS\system32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=6888 TID=3648 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
DismHost.exe
PID=6888 TID=3648 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe
PID=6888 TID=3648 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Archive.zip