URL:

https://cloud.doc9.com.br/api/download/whom?category=lite&version=latest

Full analysis: https://app.any.run/tasks/74e55203-d64f-4f9f-b3ae-161122ed5e70
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 06, 2026, 17:45:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
delphi
inno
installer
Indicators:
MD5:

64D90F77D033A742763BE73554404981

SHA1:

B5047DFDE56EDF05C8E544DB9C1C780BBB8D2F5F

SHA256:

D7A2FE9235275391A181C131C68CF51EBA5DBBE60BF7509CF8A621958EF2FE5E

SSDEEP:

3:N8ULBL8LZIzPV1KEkCaGE1KZTtsJERzR:2U7zPVAeaTAZS49

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • whom-lite-1.8.0.exe (PID: 524)
      • whom-lite-1.8.0.exe (PID: 3120)
      • WDA.exe (PID: 7648)

    • Changes settings of System certificates

      • PKIProxyCertMgr.exe (PID: 5408)

    • Changes the autorun value in the registry

      • whom-lite-1.8.0.tmp (PID: 6108)
      • WDA.exe (PID: 7648)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • whom-lite-1.8.0.exe (PID: 524)
      • whom-lite-1.8.0.tmp (PID: 6108)
      • whom-lite-1.8.0.exe (PID: 3120)
      • PKIProxy2024.exe (PID: 8780)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 1884)

    • Application launched itself

      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 1884)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 4696)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 1884)

    • Reads the Windows owner or organization settings

      • whom-lite-1.8.0.tmp (PID: 6108)

    • The process creates files with name similar to system file names

      • PKIProxy2024.exe (PID: 8780)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PKIProxy2024.exe (PID: 8780)

    • Adds/modifies Windows certificates

      • PKIProxyCertMgr.exe (PID: 5408)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3112)
      • msedge.exe (PID: 7372)

    • Reads the computer name

      • identity_helper.exe (PID: 6904)
      • whom-lite-1.8.0.tmp (PID: 1424)
      • whom-lite-1.8.0.exe (PID: 3120)
      • whom-lite-1.8.0.tmp (PID: 6108)
      • PKIProxyCertMgr.exe (PID: 5408)
      • PKIProxy2024.exe (PID: 8780)
      • pkptool.exe (PID: 5780)
      • WDA.exe (PID: 7648)
      • pkptool.exe (PID: 5736)
      • pkptool.exe (PID: 4604)
      • pkptool.exe (PID: 4200)

    • Application launched itself

      • msedge.exe (PID: 3112)

    • Checks supported languages

      • identity_helper.exe (PID: 6904)
      • whom-lite-1.8.0.exe (PID: 524)
      • whom-lite-1.8.0.tmp (PID: 1424)
      • whom-lite-1.8.0.tmp (PID: 6108)
      • whom-lite-1.8.0.exe (PID: 3120)
      • PKIProxy2024.exe (PID: 8780)
      • PKIProxyCertMgr.exe (PID: 5408)
      • pkptool.exe (PID: 5780)
      • WDA.exe (PID: 7648)
      • pkptool.exe (PID: 5736)
      • pkptool.exe (PID: 4200)
      • pkptool.exe (PID: 4604)

    • Reads Environment values

      • identity_helper.exe (PID: 6904)
      • WDA.exe (PID: 7648)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 3112)

    • Create files in a temporary directory

      • whom-lite-1.8.0.exe (PID: 524)
      • whom-lite-1.8.0.tmp (PID: 6108)
      • whom-lite-1.8.0.exe (PID: 3120)
      • PKIProxy2024.exe (PID: 8780)

    • FOR cycle in command line

      • cmd.exe (PID: 1884)
      • cmd.exe (PID: 2856)

    • Reads security settings of Internet Explorer

      • whom-lite-1.8.0.tmp (PID: 1424)
      • PKIProxy2024.exe (PID: 8780)
      • PKIProxyCertMgr.exe (PID: 5408)
      • whom-lite-1.8.0.tmp (PID: 6108)

    • Process checks computer location settings

      • whom-lite-1.8.0.tmp (PID: 1424)
      • whom-lite-1.8.0.tmp (PID: 6108)

    • Creating file in SysWOW64

      • whom-lite-1.8.0.tmp (PID: 6108)

    • Creates a software uninstall entry

      • PKIProxy2024.exe (PID: 8780)
      • whom-lite-1.8.0.tmp (PID: 6108)

    • Reads the machine GUID from the registry

      • PKIProxyCertMgr.exe (PID: 5408)

    • Creates files or folders in the user directory

      • PKIProxyCertMgr.exe (PID: 5408)
      • WDA.exe (PID: 7648)

    • Detects InnoSetup installer (YARA)

      • whom-lite-1.8.0.exe (PID: 524)
      • whom-lite-1.8.0.tmp (PID: 1424)

    • Launching a file from a Registry key

      • whom-lite-1.8.0.tmp (PID: 6108)
      • WDA.exe (PID: 7648)

    • Compiled with Borland Delphi (YARA)

      • whom-lite-1.8.0.tmp (PID: 1424)
      • whom-lite-1.8.0.exe (PID: 524)

    • Reads product name

      • WDA.exe (PID: 7648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
46
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs whom-lite-1.8.0.exe whom-lite-1.8.0.tmp no specs whom-lite-1.8.0.exe whom-lite-1.8.0.tmp cmd.exe no specs conhost.exe no specs netstat.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs pkiproxy2024.exe pkiproxycertmgr.exe pkptool.exe no specs conhost.exe no specs pkptool.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wda.exe pkptool.exe no specs conhost.exe no specs pkptool.exe no specs conhost.exe no specs slui.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Users\admin\Downloads\whom-lite-1.8.0.exe" C:\Users\admin\Downloads\whom-lite-1.8.0.exe
msedge.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Lite Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\downloads\whom-lite-1.8.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comctl32.dll
c:\windows\syswow64\advapi32.dll
1424"C:\Users\admin\AppData\Local\Temp\is-O4RLP.tmp\whom-lite-1.8.0.tmp" /SL5="$160228,17220181,882176,C:\Users\admin\Downloads\whom-lite-1.8.0.exe" C:\Users\admin\AppData\Local\Temp\is-O4RLP.tmp\whom-lite-1.8.0.tmpwhom-lite-1.8.0.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-o4rlp.tmp\whom-lite-1.8.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
1524"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6056,i,15393684503491353506,9336441034332593958,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
1884C:\WINDOWS\system32\cmd.exe /S /D /c" FOR /F "tokens=5" %a in ('findstr :40990') do taskkill /PID %a /F"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1960"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6504,i,15393684503491353506,9336441034332593958,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=7552 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2212"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3676,i,15393684503491353506,9336441034332593958,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2340"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffd6f4cf208,0x7ffd6f4cf214,0x7ffd6f4cf220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepkptool.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2856"cmd.exe" /C netstat -ano | findstr :40990 | for /f "tokens=5" %a in ('findstr :40990') do taskkill /PID %a /FC:\Windows\System32\cmd.exewhom-lite-1.8.0.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
9 713
Read events
9 673
Write events
36
Delete events
4

Modification events

(PID) Process:(4800) NETSTAT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Operation:writeName:TrapPollTimeMilliSecs
Value:
15000
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\nsoftware\PKI Proxy 2024
Operation:writeName:InstallDir
Value:
C:\Program Files\PKI Proxy 2024 Client Pack
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:Comments
Value:
Please email to support@nsoftware.com.
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:Contact
Value:
support@nsoftware.com
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PKI Proxy 2024 Client Pack\help\favicon.ico
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:DisplayName
Value:
PKI Proxy 2024
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:DisplayVersion
Value:
24.0.8920
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:Publisher
Value:
/n software inc.
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:URLInfoAbout
Value:
www.nsoftware.com
(PID) Process:(8780) PKIProxy2024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PKI Proxy 2024
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PKI Proxy 2024 Client Pack\help\lib\add_rmv_prg.ico
Executable files
34
Suspicious files
44
Text files
287
Unknown types
0

Dropped files

PID
Process
Filename
Type
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e52c1.TMP
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e52d1.TMP
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1e52e0.TMP
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e52e0.TMP
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e52e0.TMP
MD5:
SHA256:
3112msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e52f0.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
49
DNS requests
45
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7372
msedge.exe
GET
304
150.171.27.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
313 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
960 b
whitelisted
7372
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
465 b
whitelisted
7372
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:IwebC0Y_zuWeVh3jxiZqj92Wc_m3S7QUNQYNFTlzk7k&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
98 b
whitelisted
7372
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
25 b
whitelisted
7372
msedge.exe
GET
200
52.123.243.217:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=66&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
4.42 Kb
whitelisted
7372
msedge.exe
GET
200
150.171.109.194:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
82 b
whitelisted
7372
msedge.exe
GET
200
168.227.248.135:443
https://cloud.doc9.com.br/api/download/whom?category=lite&version=latest
BR
executable
5.00 Mb
unknown
7372
msedge.exe
POST
200
142.251.36.99:443
https://update.googleapis.com/service/update2/json?cup2key=14:A2ZKn8XRnPQioX8WpdiBZuz8tjTtcLdx6NzDvtSskT0&cup2hreq=f7a38dda72ef2260d75abd38241c5e1b7c768e86793c9bdffe31ece7668fb2e3
US
891 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2328
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5900
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
92.123.104.46:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7372
msedge.exe
52.123.243.217:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 13.69.116.105
whitelisted
google.com
  • 142.251.14.139
  • 142.251.14.100
  • 142.251.14.102
  • 142.251.14.138
  • 142.251.14.101
  • 142.251.14.113
whitelisted
www.bing.com
  • 92.123.104.46
  • 92.123.104.41
  • 92.123.104.34
  • 92.123.104.38
  • 92.123.104.29
  • 92.123.104.36
  • 92.123.104.32
  • 92.123.104.37
  • 92.123.104.44
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 52.123.243.217
  • 52.123.243.76
  • 52.123.243.81
  • 52.123.243.195
whitelisted
cloud.doc9.com.br
  • 168.227.248.135
  • 168.227.248.136
whitelisted

Threats

PID
Process
Class
Message
2328
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7372
msedge.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cloud.doc9.com.br/api/download/whom?category=lite&version=latest