| URL: | https://cloudsaze.com/file/16019d0 |
| Full analysis: | https://app.any.run/tasks/91c985a0-7ed7-4739-aa98-ecb3181274a3 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | May 27, 2025, 17:07:30 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | D897DEC37B8AB2E30DD748BCE5537005 |
| SHA1: | A6EB535F0924E27CA7381B2B95C73D285D15D008 |
| SHA256: | CCF7F96D716A7FFD6B6F2D91469C315A59D796029C42DE13D3D7B828DFBC1DCB |
| SSDEEP: | 3:N8ULBW2AyGDoUqcjn:2UcnGcjn |
MALICIOUS
ADWARE has been detected (SURICATA)
- iphonedatarecovery2104.exe (PID: 6048)
- rundll32.exe (PID: 5812)
Run PowerShell with an invisible window
- powershell.exe (PID: 7408)
- powershell.exe (PID: 8180)
- powershell.exe (PID: 5452)
- powershell.exe (PID: 1004)
- powershell.exe (PID: 6852)
- powershell.exe (PID: 7824)
- powershell.exe (PID: 5280)
Uses WMIC.EXE to add exclusions to the Windows Defender
- powershell.exe (PID: 7408)
- powershell.exe (PID: 8180)
- powershell.exe (PID: 5452)
- cmd.exe (PID: 3960)
- cmd.exe (PID: 5512)
- cmd.exe (PID: 5528)
Uses Task Scheduler to run other applications
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
- mnuYqaj.exe (PID: 900)
- mbKybCR.exe (PID: 7752)
Uses Task Scheduler to autorun other applications
- mbKybCR.exe (PID: 7752)
SUSPICIOUS
The process drops C-runtime libraries
- rebuilder_dBzQqJC4gR.tmp (PID: 8084)
- BFzgr.tmp (PID: 1660)
Process drops legitimate windows executable
- rebuilder_dBzQqJC4gR.tmp (PID: 8084)
- BFzgr.tmp (PID: 1660)
Executable content was dropped or overwritten
- rebuilder_dBzQqJC4gR.exe (PID: 2136)
- rebuilder_dBzQqJC4gR.tmp (PID: 8084)
- rebuilder_dBzQqJC4gR.exe (PID: 7272)
- BFzgr.tmp (PID: 1660)
- BFzgr.exe (PID: 4436)
- iossystemrecovery96.exe (PID: 7468)
- iphonedatarecovery2104.exe (PID: 6048)
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
- mbKybCR.exe (PID: 7752)
- mnuYqaj.exe (PID: 900)
Potential Corporate Privacy Violation
- iphonedatarecovery2104.exe (PID: 6048)
Process requests binary or script from the Internet
- iphonedatarecovery2104.exe (PID: 6048)
Access to an unwanted program domain was detected
- iphonedatarecovery2104.exe (PID: 6048)
- rundll32.exe (PID: 5812)
Executes application which crashes
- iphonedatarecovery2104.exe (PID: 6048)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 6148)
- cmd.exe (PID: 3164)
- cmd.exe (PID: 4164)
- cmd.exe (PID: 1132)
- cmd.exe (PID: 2560)
- mnuYqaj.exe (PID: 900)
- cmd.exe (PID: 3960)
- cmd.exe (PID: 5512)
- cmd.exe (PID: 5528)
Starts CMD.EXE for commands execution
- forfiles.exe (PID: 8120)
- iphonedatarecovery2104.exe (PID: 6048)
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
- forfiles.exe (PID: 6276)
- forfiles.exe (PID: 7268)
- powershell.exe (PID: 6872)
- powershell.exe (PID: 7348)
- forfiles.exe (PID: 5996)
- forfiles.exe (PID: 7628)
- mbKybCR.exe (PID: 7752)
- forfiles.exe (PID: 3676)
Found strings related to reading or modifying Windows Defender settings
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
- forfiles.exe (PID: 8120)
- forfiles.exe (PID: 6276)
- forfiles.exe (PID: 7268)
- powershell.exe (PID: 7348)
- powershell.exe (PID: 6872)
- forfiles.exe (PID: 5996)
- mbKybCR.exe (PID: 7752)
- forfiles.exe (PID: 7628)
- forfiles.exe (PID: 3676)
Searches and executes a command on selected files
- forfiles.exe (PID: 8120)
- forfiles.exe (PID: 6276)
- forfiles.exe (PID: 7268)
- forfiles.exe (PID: 5996)
- forfiles.exe (PID: 7628)
- forfiles.exe (PID: 3676)
Connects to the server without a host name
- iphonedatarecovery2104.exe (PID: 6048)
There is functionality for taking screenshot (YARA)
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
The process executes via Task Scheduler
- mnuYqaj.exe (PID: 900)
- powershell.exe (PID: 1004)
- mbKybCR.exe (PID: 7752)
- rundll32.exe (PID: 2516)
Uses REG/REGEDIT.EXE to modify registry
- powershell.exe (PID: 6872)
- cmd.exe (PID: 3828)
- cmd.exe (PID: 6256)
- powershell.exe (PID: 7348)
Deletes scheduled task without confirmation
- schtasks.exe (PID: 4352)
- schtasks.exe (PID: 5180)
- schtasks.exe (PID: 5056)
- schtasks.exe (PID: 2244)
- schtasks.exe (PID: 1516)
INFO
Application launched itself
- msedge.exe (PID: 4108)
- msedge.exe (PID: 8104)
- msedge.exe (PID: 7868)
Reads Environment values
- identity_helper.exe (PID: 7560)
- identity_helper.exe (PID: 7676)
Reads the computer name
- identity_helper.exe (PID: 7560)
- identity_helper.exe (PID: 7676)
Launch of the file from Downloads directory
- msedge.exe (PID: 4108)
- msedge.exe (PID: 7228)
Reads the software policy settings
- slui.exe (PID: 6800)
Checks supported languages
- identity_helper.exe (PID: 7560)
- identity_helper.exe (PID: 7676)
Manual execution by a user
- WinRAR.exe (PID: 5576)
- rebuilder_dBzQqJC4gR.exe (PID: 2136)
- WinRAR.exe (PID: 5428)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5576)
- WinRAR.exe (PID: 5428)
The sample compiled with english language support
- rebuilder_dBzQqJC4gR.tmp (PID: 8084)
- BFzgr.tmp (PID: 1660)
- iossystemrecovery96.exe (PID: 7468)
Compiled with Borland Delphi (YARA)
- rebuilder_dBzQqJC4gR.exe (PID: 7272)
- rebuilder_dBzQqJC4gR.tmp (PID: 8084)
- rebuilder_dBzQqJC4gR.exe (PID: 2136)
- rebuilder_dBzQqJC4gR.tmp (PID: 5324)
- iphonedatarecovery2104.exe (PID: 6048)
- BFzgr.exe (PID: 4436)
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
Detects InnoSetup installer (YARA)
- rebuilder_dBzQqJC4gR.exe (PID: 2136)
- rebuilder_dBzQqJC4gR.tmp (PID: 5324)
- rebuilder_dBzQqJC4gR.exe (PID: 7272)
- rebuilder_dBzQqJC4gR.tmp (PID: 8084)
- BFzgr.exe (PID: 4436)
Launch of the file from Task Scheduler
- sdV68iEBV1EWnlP3bSt.exe (PID: 2840)
- mnuYqaj.exe (PID: 900)
- mbKybCR.exe (PID: 7752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
488
Monitored processes
296
Malicious processes
10
Suspicious processes
11
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 456 | "C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32 | C:\Windows\SysWOW64\reg.exe | — | powershell.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 616 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4496 --field-trial-handle=2356,i,16341324646242946617,13167328396664225385,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 728 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 776 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6048 -s 2180 | C:\Windows\SysWOW64\WerFault.exe | — | iphonedatarecovery2104.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 812 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x304,0x308,0x30c,0x2fc,0x314,0x7ffc89845fd8,0x7ffc89845fe4,0x7ffc89845ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 856 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5740 --field-trial-handle=2364,i,17587381641521531143,13337620921153096319,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 864 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=3540 --field-trial-handle=2272,i,16482640725532360891,16718998143300600850,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 900 | "C:\Users\admin\AppData\Local\Temp\wbTaXuaRQclBNEtlm\bQsHRDBSMkVdJgD\mnuYqaj.exe" mj /sfEFdidkif 757674 /S | C:\Users\admin\AppData\Local\Temp\wbTaXuaRQclBNEtlm\bQsHRDBSMkVdJgD\mnuYqaj.exe | svchost.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 904 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5792 --field-trial-handle=2364,i,17587381641521531143,13337620921153096319,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1004 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6048 -s 2256 | C:\Windows\SysWOW64\WerFault.exe | — | iphonedatarecovery2104.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
139 605
Read events
139 132
Write events
339
Delete events
134
Modification events
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: E97C6F62B7942F00 | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459404 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {2B2A9903-B99D-49B0-85BB-4959672F2478} | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459404 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {14DDD6A2-B7D2-4AE7-8F3F-60600FF0BFB0} | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: F2948E62B7942F00 | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A |
Value: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch |
| Operation: | write | Name: | Enabled |
Value: 0 | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (4108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
Executable files
68
Suspicious files
425
Text files
418
Unknown types
168
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11c6e7.TMP | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF11c6e7.TMP | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11c773.TMP | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11c773.TMP | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF11c783.TMP | — | |
MD5:— | SHA256:— | |||
| 4108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
134
DNS requests
152
Threats
22
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 23.63.118.230:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
8132 | SIHClient.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7400 | svchost.exe | HEAD | 200 | 2.16.168.202:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4b01f7e3-1016-48fe-9466-15e9587c9c82?P1=1748907560&P2=404&P3=2&P4=I9uH1UzTbp%2b0rQZsdQNgvnRNgv1w7qiuaJWJCH6lnXzz3ghpcbbdnKjI0tfolAlCdWFSvPIIQ7MnR%2bH59abrJA%3d%3d | unknown | — | — | whitelisted |
8132 | SIHClient.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
7400 | svchost.exe | GET | 206 | 2.16.168.202:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4b01f7e3-1016-48fe-9466-15e9587c9c82?P1=1748907560&P2=404&P3=2&P4=I9uH1UzTbp%2b0rQZsdQNgvnRNgv1w7qiuaJWJCH6lnXzz3ghpcbbdnKjI0tfolAlCdWFSvPIIQ7MnR%2bH59abrJA%3d%3d | unknown | — | — | whitelisted |
7400 | svchost.exe | GET | 206 | 2.16.168.202:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4b01f7e3-1016-48fe-9466-15e9587c9c82?P1=1748907560&P2=404&P3=2&P4=I9uH1UzTbp%2b0rQZsdQNgvnRNgv1w7qiuaJWJCH6lnXzz3ghpcbbdnKjI0tfolAlCdWFSvPIIQ7MnR%2bH59abrJA%3d%3d | unknown | — | — | whitelisted |
7400 | svchost.exe | GET | 206 | 2.16.168.202:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4b01f7e3-1016-48fe-9466-15e9587c9c82?P1=1748907560&P2=404&P3=2&P4=I9uH1UzTbp%2b0rQZsdQNgvnRNgv1w7qiuaJWJCH6lnXzz3ghpcbbdnKjI0tfolAlCdWFSvPIIQ7MnR%2bH59abrJA%3d%3d | unknown | — | — | whitelisted |
7400 | svchost.exe | GET | 206 | 2.16.168.202:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4b01f7e3-1016-48fe-9466-15e9587c9c82?P1=1748907560&P2=404&P3=2&P4=I9uH1UzTbp%2b0rQZsdQNgvnRNgv1w7qiuaJWJCH6lnXzz3ghpcbbdnKjI0tfolAlCdWFSvPIIQ7MnR%2bH59abrJA%3d%3d | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7512 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7472 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4108 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4180 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4180 | msedge.exe | 150.171.27.11:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4180 | msedge.exe | 13.107.253.45:443 | edge-mobile-static.azureedge.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
cloudsaze.com |
| unknown |
edge.microsoft.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
business.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4180 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Network Error Logging (NEL) |
4180 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Network Error Logging (NEL) |
4180 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] hCaptcha Enterprise Challenge |
4180 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] hCaptcha Enterprise Challenge |
4180 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com) |
4180 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com) |
6048 | iphonedatarecovery2104.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] DownloadAssistant HTTP POST Request |
6048 | iphonedatarecovery2104.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] DownloadAssistant HTTP POST Request |
6620 | msedge.exe | Misc activity | ET INFO Observed ZeroSSL SSL/TLS Certificate |
6048 | iphonedatarecovery2104.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] DownloadAssistant HTTP POST Request |