URL:

https://pub-04959d9029f340cfbb0f6849c1b75e7d.r2.dev/TaDsk_Stup-x64.9.2.zip

Full analysis: https://app.any.run/tasks/121fff88-f290-47e0-8958-1fc6afb9ae25
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: June 03, 2025, 09:15:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
possible-phishing
upx
valleyrat
winos
rat
silverfox
backdoor
Indicators:
MD5:

C0AC367F497340257009CADF1A8DF1D7

SHA1:

E2C4988E5C33220C3FC887013E6CFC0C1AD121C6

SHA256:

DE94F9C9B531AAB2ABB8A9B64499C5A42E4846ABC457D39152E042B79F952128

SSDEEP:

3:N8UIscVXwGGN49XltxZstcUV:2UI3XwGV74

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • chrmstp.exe (PID: 7508)

    • Changes powershell execution policy

      • cmd.exe (PID: 6252)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6252)
      • regsvr32.exe (PID: 1188)

    • Changes Windows Defender settings

      • cmd.exe (PID: 6252)

    • VALLEYRAT has been detected (YARA)

      • UserAccountBroker.exe (PID: 7904)

    • SILVERFOX has been detected (SURICATA)

      • UserAccountBroker.exe (PID: 7904)

    • Connects to the CnC server

      • UserAccountBroker.exe (PID: 7904)

  • SUSPICIOUS

    • Possible Social Engineering Attempted

      • msedge.exe (PID: 5548)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 240)

    • There is functionality for taking screenshot (YARA)

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • ToDesk.exe (PID: 1324)

    • Starts CMD.EXE for commands execution

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • regsvr32.exe (PID: 1188)
      • TaDesk_Setup.exe (PID: 3332)

    • Executable content was dropped or overwritten

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • TaDesk_Setup.exe (PID: 3332)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6252)

    • Executes application which crashes

      • regsvr32.exe (PID: 1188)

    • Connects to unusual port

      • UserAccountBroker.exe (PID: 7904)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • TaDesk_Setup.exe (PID: 3332)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6252)

    • Stops a currently running service

      • sc.exe (PID: 7868)
      • sc.exe (PID: 5728)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2040)
      • sc.exe (PID: 5400)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • TaDesk_Setup.exe (PID: 3332)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • TaDesk_Setup.exe (PID: 3332)

    • Executes as Windows Service

      • ToDesk.exe (PID: 1324)

    • Contacting a server suspected of hosting an CnC

      • UserAccountBroker.exe (PID: 7904)

    • Process drops legitimate windows executable

      • TaDesk_Setup.exe (PID: 3332)

    • Application launched itself

      • ToDesk.exe (PID: 1324)

    • Drops a system driver (possible attempt to evade defenses)

      • TaDesk_Setup.exe (PID: 3332)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 3208)
      • msedge.exe (PID: 7584)

    • Reads Environment values

      • identity_helper.exe (PID: 4736)
      • identity_helper.exe (PID: 7268)

    • Reads the computer name

      • identity_helper.exe (PID: 4736)
      • identity_helper.exe (PID: 7268)
      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • chrmstp.exe (PID: 7508)

    • Checks supported languages

      • identity_helper.exe (PID: 4736)
      • identity_helper.exe (PID: 7268)
      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • chrmstp.exe (PID: 7508)

    • Manual execution by a user

      • WinRAR.exe (PID: 240)
      • UserAccountBroker.exe (PID: 7904)
      • TaDesk_Setup.exe (PID: 6668)
      • TaDesk_Setup.exe (PID: 3332)

    • Creates files or folders in the user directory

      • chrmstp.exe (PID: 7508)
      • regsvr32.exe (PID: 1188)
      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • WerFault.exe (PID: 7384)

    • Process checks whether UAC notifications are on

      • chrmstp.exe (PID: 7508)

    • Reads the machine GUID from the registry

      • chrmstp.exe (PID: 7508)

    • UPX packer has been detected

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)

    • The sample compiled with english language support

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • TaDesk_Setup.exe (PID: 3332)
      • msedge.exe (PID: 7856)

    • Reads the software policy settings

      • slui.exe (PID: 7220)

    • The sample compiled with chinese language support

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)
      • TaDesk_Setup.exe (PID: 3332)

    • Create files in a temporary directory

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7216)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7216)

    • Creates files in the program directory

      • TaDsk_Stup-x64.9.2.exe (PID: 8060)

    • Reads security settings of Internet Explorer

      • regsvr32.exe (PID: 1188)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
255
Monitored processes
118
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs tadsk_stup-x64.9.2.exe no specs tadsk_stup-x64.9.2.exe chrmstp.exe cmd.exe no specs conhost.exe no specs regsvr32.exe slui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe no specs #VALLEYRAT useraccountbroker.exe msedge.exe no specs tadesk_setup.exe no specs tadesk_setup.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs todesk.exe no specs todesk.exe todesk.exe no specs todesk.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\TaDsk_Stup-x64.9.2.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
444cmd.exe /c sc delete ToDesk_ServiceC:\Windows\SysWOW64\cmd.exeTaDesk_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
472cmd.exe /c sc delete ToDesk_ServiceC:\Windows\SysWOW64\cmd.exeTaDesk_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6724 --field-trial-handle=2304,i,13715996004779575042,9476561501149004476,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
772"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2304,i,13715996004779575042,9476561501149004476,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
772"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5116 --field-trial-handle=2288,i,13666841697707500028,14598168501380120445,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2644 --field-trial-handle=2288,i,13666841697707500028,14598168501380120445,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
928"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5424 --field-trial-handle=2288,i,13666841697707500028,14598168501380120445,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allowC:\Windows\SysWOW64\netsh.exeTaDesk_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
22 968
Read events
22 861
Write events
85
Delete events
22

Modification events

(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3208) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D292C99C3D952F00
(PID) Process:(3208) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B496D49C3D952F00
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328478
Operation:writeName:WindowTabManagerFileMappingId
Value:
{D1D4E53F-4A7C-458B-9869-607EBF459386}
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328478
Operation:writeName:WindowTabManagerFileMappingId
Value:
{5F83C166-660F-4EE0-B0D2-8474260A4195}
(PID) Process:(3208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328478
Operation:writeName:WindowTabManagerFileMappingId
Value:
{34D25713-D56A-476B-A312-1AD287DD2D11}
Executable files
25
Suspicious files
531
Text files
130
Unknown types
56

Dropped files

PID
Process
Filename
Type
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State~RF11fd97.TMP
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF11fdb6.TMP
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF11fdb6.TMP
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11ff4c.TMP
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11ff4c.TMP
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF11ff8b.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
60
DNS requests
70
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8096
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7508
chrmstp.exe
POST
200
43.154.240.217:8080
http://wup.imtt.qq.com:8080/?encrypt=17&len=1024&v=3&iv=47BD999AA6484d80&id=a690d5f54b43ca535af266c3180769c7&qbkey=38FCA39FBBE1BF1B4D8AF483E29412EDF285E46A52FB4E005E8A69DF98F3D35FCC22CC6B0D436A1A9626DF891197E4B637044E5CBB067F58F8A864F61C13E71247E35B5B6395B3E044DC3956E43357902E639D36E4D63EF0A018A510790DA1A95594D1ACB43E4DC9F82435504A10545FF5E0A0E41BC61361AC1F647855EFC0E4
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7184
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9530bc3d-28ec-4dca-8d8d-874a68b1b861?P1=1748975264&P2=404&P3=2&P4=Zz%2b9Y92aV0oLPsP9JxiK98519RDd1u%2fHO6A70%2fA2xjihlMixIxf0fn4BLlv5I0wjJj4T4moGD8CSY0e2JBXe3A%3d%3d
unknown
whitelisted
8096
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7184
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9530bc3d-28ec-4dca-8d8d-874a68b1b861?P1=1748975264&P2=404&P3=2&P4=Zz%2b9Y92aV0oLPsP9JxiK98519RDd1u%2fHO6A70%2fA2xjihlMixIxf0fn4BLlv5I0wjJj4T4moGD8CSY0e2JBXe3A%3d%3d
unknown
whitelisted
7184
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9530bc3d-28ec-4dca-8d8d-874a68b1b861?P1=1748975264&P2=404&P3=2&P4=Zz%2b9Y92aV0oLPsP9JxiK98519RDd1u%2fHO6A70%2fA2xjihlMixIxf0fn4BLlv5I0wjJj4T4moGD8CSY0e2JBXe3A%3d%3d
unknown
whitelisted
7184
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9530bc3d-28ec-4dca-8d8d-874a68b1b861?P1=1748975264&P2=404&P3=2&P4=Zz%2b9Y92aV0oLPsP9JxiK98519RDd1u%2fHO6A70%2fA2xjihlMixIxf0fn4BLlv5I0wjJj4T4moGD8CSY0e2JBXe3A%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4164
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4616
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3208
msedge.exe
239.255.255.250:1900
whitelisted
5548
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5548
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
pub-04959d9029f340cfbb0f6849c1b75e7d.r2.dev
  • 162.159.140.237
  • 172.66.0.235
unknown
business.bing.com
  • 13.107.6.158
whitelisted
update.googleapis.com
  • 172.217.23.99
whitelisted
edgeservices.bing.com
  • 2.16.204.146
  • 2.16.204.153
  • 2.16.204.151
  • 2.16.204.148
  • 2.16.204.156
  • 2.16.204.157
  • 2.16.204.152
  • 2.16.204.147
  • 2.16.204.150
whitelisted

Threats

PID
Process
Class
Message
5548
msedge.exe
A Network Trojan was detected
ET INFO Observed DNS Query to Cloudflare R2 Public Bucket (r2 .dev) Domain
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
5548
msedge.exe
A Network Trojan was detected
ET INFO Observed DNS Query to Cloudflare R2 Public Bucket (r2 .dev) Domain
5548
msedge.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
5548
msedge.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
5548
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
5548
msedge.exe
Misc activity
ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI
7904
UserAccountBroker.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox TCP Init Packet
7904
UserAccountBroker.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
7904
UserAccountBroker.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
Process
Message
ToDesk.exe
AuthenticAMDIntel(R)Core(TM)i5-6400CPU@2.70GHz
ToDesk.exe
defaultConfigPath: C
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://pub-04959d9029f340cfbb0f6849c1b75e7d.r2.dev/TaDsk_Stup-x64.9.2.zip