URL:

https://edex.se-sto-1.linodeobjects.com/FedEx.Delivery.Notification.ConnectAgent-5.8.23.msi

Full analysis: https://app.any.run/tasks/b81ab35c-32a1-43e5-977c-72e967cd316d
Verdict: Malicious activity
Analysis date: September 04, 2025, 23:13:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pdqconnect
rmm-tool
anti-evasion
rust
Indicators:
MD5:

26C9D2C0B3CB5952271A87F0B9CF145E

SHA1:

B3556E108121C0F1CBC56C95FADCCD4C117C1C39

SHA256:

CF20C0DB3820EE5D005E9BFF8EAB1EB362A26A7E63A0381980E81AAD269BF930

SSDEEP:

3:N8QICHlMGG8BYVtMX6rKPGa57RyRIQpjMIWM:2Q7XBYfMX6OPT7sRIQpjMIWM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5252)
      • powershell.exe (PID: 7912)
      • powershell.exe (PID: 6776)
      • powershell.exe (PID: 7204)
      • powershell.exe (PID: 7736)
      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 5244)
      • powershell.exe (PID: 5284)
      • powershell.exe (PID: 4788)
      • powershell.exe (PID: 1688)
      • powershell.exe (PID: 2288)
      • powershell.exe (PID: 8728)
      • powershell.exe (PID: 8868)
      • powershell.exe (PID: 4264)
      • powershell.exe (PID: 8456)
      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 5372)
      • powershell.exe (PID: 7420)

    • Changes powershell execution policy (Bypass)

      • pdq-connect-agent.exe (PID: 4164)

    • Collects BIOS Properties (Win32_BIOS) (SCRIPT)

      • powershell.exe (PID: 7204)

    • Accesses installed system drivers(Win32_SystemDriver) (SCRIPT)

      • powershell.exe (PID: 2620)

    • Accesses system services(Win32_Service) (SCRIPT)

      • powershell.exe (PID: 7744)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 8112)
      • pdq-connect-agent.exe (PID: 4164)
      • pdq-connect-updater.exe (PID: 1980)
      • WmiApSrv.exe (PID: 8496)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8056)

    • Application launched itself

      • msiexec.exe (PID: 8056)
      • powershell.exe (PID: 2288)

    • Uses RUNDLL32.EXE to load library

      • msiexec.exe (PID: 7876)
      • msiexec.exe (PID: 7352)
      • msiexec.exe (PID: 3160)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 1192)
      • rundll32.exe (PID: 7348)
      • rundll32.exe (PID: 7884)
      • rundll32.exe (PID: 4084)
      • rundll32.exe (PID: 6364)
      • pdq-connect-agent.exe (PID: 4164)
      • rundll32.exe (PID: 7032)
      • rundll32.exe (PID: 4084)
      • csc.exe (PID: 6068)
      • powershell.exe (PID: 8868)

    • PDQConnect is probably used for system patching and software deployment

      • sc.exe (PID: 1980)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1980)

    • Starts SC.EXE for service management

      • rundll32.exe (PID: 6364)

    • The process hides Powershell's copyright startup banner

      • pdq-connect-agent.exe (PID: 4164)
      • powershell.exe (PID: 2288)

    • The process hide an interactive prompt from the user

      • pdq-connect-agent.exe (PID: 4164)

    • Starts POWERSHELL.EXE for commands execution

      • pdq-connect-agent.exe (PID: 4164)
      • powershell.exe (PID: 2288)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 5252)
      • powershell.exe (PID: 8868)

    • Enumerates operating system information (Win32_OperatingSystem) (SCRIPT)

      • powershell.exe (PID: 6776)
      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 8868)
      • powershell.exe (PID: 5884)

    • The process bypasses the loading of PowerShell profile settings

      • pdq-connect-agent.exe (PID: 4164)
      • powershell.exe (PID: 2288)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6068)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 8868)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 9172)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 8868)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 8868)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 3576)

    • Reads the computer name

      • identity_helper.exe (PID: 7596)
      • msiexec.exe (PID: 8056)
      • msiexec.exe (PID: 7876)
      • msiexec.exe (PID: 7352)
      • pdq-connect-agent.exe (PID: 4164)
      • msiexec.exe (PID: 3160)
      • pdq-connect-updater.exe (PID: 1980)
      • DismHost.exe (PID: 9172)

    • Checks supported languages

      • identity_helper.exe (PID: 7596)
      • msiexec.exe (PID: 8056)
      • msiexec.exe (PID: 7876)
      • msiexec.exe (PID: 7352)
      • pdq-connect-agent.exe (PID: 4164)
      • msiexec.exe (PID: 3160)
      • pdq-connect-updater.exe (PID: 1980)
      • csc.exe (PID: 6068)
      • cvtres.exe (PID: 7448)
      • DismHost.exe (PID: 9172)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 3576)

    • Reads the software policy settings

      • msiexec.exe (PID: 7992)
      • msiexec.exe (PID: 8056)
      • pdq-connect-updater.exe (PID: 1980)
      • pdq-connect-agent.exe (PID: 4164)
      • slui.exe (PID: 1532)

    • Reads Environment values

      • identity_helper.exe (PID: 7596)
      • pdq-connect-agent.exe (PID: 4164)
      • DismHost.exe (PID: 9172)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 8056)
      • csc.exe (PID: 6068)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7992)
      • Taskmgr.exe (PID: 8768)

    • Manages system restore points

      • SrTasks.exe (PID: 7740)

    • Create files in a temporary directory

      • rundll32.exe (PID: 1192)
      • rundll32.exe (PID: 7348)

    • The sample compiled with english language support

      • msiexec.exe (PID: 8056)
      • powershell.exe (PID: 8868)

    • Creates files in the program directory

      • pdq-connect-agent.exe (PID: 4164)
      • rundll32.exe (PID: 4084)
      • msiexec.exe (PID: 7788)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8056)

    • PDQCONNECT has been detected

      • msiexec.exe (PID: 7352)
      • rundll32.exe (PID: 6364)
      • pdq-connect-agent.exe (PID: 4164)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 8056)

    • Application based on Rust

      • pdq-connect-agent.exe (PID: 4164)
      • pdq-connect-updater.exe (PID: 1980)

    • Manual execution by a user

      • mspaint.exe (PID: 7408)
      • mspaint.exe (PID: 4412)
      • Taskmgr.exe (PID: 8832)
      • Taskmgr.exe (PID: 8768)

    • Process checks computer location settings

      • pdq-connect-agent.exe (PID: 4164)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5252)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 8868)
      • powershell.exe (PID: 8344)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4456)

    • Checks proxy server information

      • slui.exe (PID: 1532)

    • Reads Windows Product ID

      • powershell.exe (PID: 8868)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8868)
      • powershell.exe (PID: 8456)
      • powershell.exe (PID: 1472)
      • powershell.exe (PID: 7304)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
284
Monitored processes
127
Malicious processes
4
Suspicious processes
11

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe sc.exe no specs conhost.exe no specs pdq-connect-agent.exe msiexec.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe pdq-connect-updater.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe msedge.exe no specs msedge.exe no specs mspaint.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs mspaint.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs tiworker.exe no specs dsregcmd.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs dismhost.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs taskmgr.exe no specs taskmgr.exe powershell.exe no specs conhost.exe no specs wmiapsrv.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1028"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6300,i,6055861992960778689,15341584732495145649,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1192rundll32.exe "C:\WINDOWS\Installer\MSI2A04.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1649218 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_ActionC:\Windows\System32\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2424,i,6055861992960778689,15341584732495145649,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1232C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1472"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1532C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1688"powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepdq-connect-agent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1704"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1364,i,6055861992960778689,15341584732495145649,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1880"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5224,i,6055861992960778689,15341584732495145649,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
208 278
Read events
207 810
Write events
433
Delete events
35

Modification events

(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328510
Operation:writeName:WindowTabManagerFileMappingId
Value:
{8C78E143-BCBC-48C7-B460-2F91B365F6E9}
(PID) Process:(3576) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
F4A15D26989C2F00
(PID) Process:(3576) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328510
Operation:writeName:WindowTabManagerFileMappingId
Value:
{F2EB3DB7-C2D9-47AF-996A-5F38A971E977}
(PID) Process:(3576) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C5A36D26989C2F00
Executable files
100
Suspicious files
334
Text files
193
Unknown types
0

Dropped files

PID
Process
Filename
Type
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF18d51d.TMP
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF18d50e.TMP
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF18d51d.TMP
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF18d51d.TMP
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF18d52d.TMP
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3576msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
79
DNS requests
76
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3576
msedge.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
US
binary
727 b
whitelisted
3576
msedge.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
US
binary
471 b
whitelisted
6004
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:fTJegoQgjRAqgE_fJWv7aoT46ngphBkEVMaOeBS7kMM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
101 b
whitelisted
3576
msedge.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAZ4BOCrCqbwPVOB48I4p0g%3D
US
binary
727 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5352
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
7184
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1757088538&P2=404&P3=2&P4=T6x05EyNVVV9AZ0WzPwWZEay8mY2Kh7a%2frT%2f208Z5kDHyrpE3HbucwFRhwJIXLaTOIWEwDdJ3UJ1BT282cCS6Q%3d%3d
US
binary
1.09 Kb
whitelisted
7184
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/550117a4-8c0f-4d0d-8ff8-7c3caccb0e8a?P1=1757084946&P2=404&P3=2&P4=UkR0iP92wu62PdekBDGRQcUQzONuDHqhqVWYLC%2bhgFs9qrZO82g97X00XkzSRDbl26L8PO8Pf32PX0UMCgrLtQ%3d%3d
US
binary
2.98 Kb
whitelisted
7184
svchost.exe
GET
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/550117a4-8c0f-4d0d-8ff8-7c3caccb0e8a?P1=1757084946&P2=404&P3=2&P4=UkR0iP92wu62PdekBDGRQcUQzONuDHqhqVWYLC%2bhgFs9qrZO82g97X00XkzSRDbl26L8PO8Pf32PX0UMCgrLtQ%3d%3d
US
binary
6.24 Kb
whitelisted
7184
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1757088538&P2=404&P3=2&P4=T6x05EyNVVV9AZ0WzPwWZEay8mY2Kh7a%2frT%2f208Z5kDHyrpE3HbucwFRhwJIXLaTOIWEwDdJ3UJ1BT282cCS6Q%3d%3d
US
compressed
764 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3852
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6004
msedge.exe
52.123.243.66:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted
6004
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6004
msedge.exe
172.232.142.240:443
edex.se-sto-1.linodeobjects.com
Akamai International B.V.
US
unknown
6004
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6004
msedge.exe
23.3.89.120:443
copilot.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 52.123.243.66
  • 52.123.243.196
  • 52.123.243.80
  • 52.123.243.199
whitelisted
edex.se-sto-1.linodeobjects.com
  • 172.232.142.240
  • 172.232.148.182
  • 172.232.148.175
  • 172.232.148.184
  • 172.232.142.226
  • 172.234.118.83
  • 172.232.132.195
  • 172.234.118.138
  • 172.232.132.198
  • 172.234.118.208
  • 172.232.148.144
  • 172.232.142.106
unknown
copilot.microsoft.com
  • 23.3.89.120
unknown
update.googleapis.com
  • 142.250.185.131
whitelisted
www.bing.com
  • 95.100.158.114
  • 23.11.206.107
  • 23.3.89.122
  • 23.3.89.98
  • 23.11.206.98
  • 23.3.89.113
whitelisted
clients2.googleusercontent.com
  • 142.250.186.161
whitelisted
edgeassetservice.azureedge.net
  • 13.107.246.44
whitelisted

Threats

PID
Process
Class
Message
6004
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Bucket Object Storage service (.linodeobjects .com)
6004
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Bucket Object Storage service (.linodeobjects .com)
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
Process
Message
powershell.exe
PID=8868 TID=9004 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 DismApi.dll: Parent process command line: "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 Enter DismInitializeInternal - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 Initialized GlobalConfig - DismInitializeInternal
powershell.exe
PID=8868 TID=9004 Initialized SessionTable - DismInitializeInternal
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://edex.se-sto-1.linodeobjects.com/FedEx.Delivery.Notification.ConnectAgent-5.8.23.msi