URL:

https://kelvrix.cfd/Audio-wav/voicemail.html

Full analysis: https://app.any.run/tasks/81a48c30-3176-4d51-9c48-cfdda4c30cf8
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 20, 2026, 15:54:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fileshare
simplehelp
rmm-tool
adware
loader
antivm
Indicators:
MD5:

000E2610F1E59011F2C7366AF0FF1DD3

SHA1:

83BBF938330E9C1DE13AC929F22FFBB57262736C

SHA256:

EBED9EEFE64FDE6A3DDA9B994F5DE341CE873BEF183D9F84821E3A9ECC2ACBD2

SSDEEP:

3:N8FmID8/MKI3TIWtT8:2JD3TIoT8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SIMPLEHELP has been detected

      • msedge.exe (PID: 8108)
      • Voicemailaudio222896.scr (PID: 1432)
      • SimpleService.exe (PID: 7760)
      • Remote Access Service.exe (PID: 1856)
      • Remote Access.exe (PID: 2480)
      • session_win.exe (PID: 6200)
      • session_win.exe (PID: 2312)
      • session_win.exe (PID: 2680)
      • session_win.exe (PID: 3188)
      • session_win.exe (PID: 8720)
      • session_win.exe (PID: 5964)
      • session_win.exe (PID: 8004)
      • session_win.exe (PID: 8944)
      • session_win.exe (PID: 5632)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • msedge.exe (PID: 8108)

    • Executable content was dropped or overwritten

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote Access.exe (PID: 6444)

    • Access to an unwanted program domain was detected

      • Voicemailaudio222896.scr (PID: 1432)

    • The process drops C-runtime libraries

      • Voicemailaudio222896.scr (PID: 1432)

    • Uses ICACLS.EXE to modify access control lists

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote Access.exe (PID: 6444)
      • Remote Access.exe (PID: 2480)

    • Executes as Windows Service

      • SimpleService.exe (PID: 7760)

    • Creates or modifies Windows services

      • Remote Access.exe (PID: 2480)

    • Suspicious use of NETSH.EXE

      • Remote Access.exe (PID: 2480)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Remote Access.exe (PID: 2480)

    • There is functionality for VM detection VirtualBox (YARA)

      • Remote Access.exe (PID: 2480)

    • There is functionality for VM detection antiVM strings (YARA)

      • Remote Access.exe (PID: 2480)

    • There is functionality for VM detection VMWare (YARA)

      • Remote Access.exe (PID: 2480)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 6536)
      • Voicemailaudio222896.scr (PID: 1432)
      • Remote AccessLauncher.exe (PID: 5528)
      • Remote Access.exe (PID: 6444)
      • Remote Access.exe (PID: 2480)

    • Checks supported languages

      • Voicemailaudio222896.scr (PID: 1432)
      • identity_helper.exe (PID: 6536)
      • windowslauncher.exe (PID: 6440)
      • Remote AccessLauncher.exe (PID: 5528)
      • Remote Access.exe (PID: 6444)
      • SimpleService.exe (PID: 7828)
      • SimpleService.exe (PID: 8700)
      • SimpleService.exe (PID: 7760)
      • Remote Access Service.exe (PID: 1856)
      • Remote Access.exe (PID: 2480)
      • session_win.exe (PID: 6200)
      • elev_win.exe (PID: 7932)
      • session_win.exe (PID: 2312)
      • elev_win.exe (PID: 5708)
      • session_win.exe (PID: 3188)
      • elev_win.exe (PID: 1824)
      • session_win.exe (PID: 8720)
      • elev_win.exe (PID: 6320)
      • elev_win.exe (PID: 1700)
      • session_win.exe (PID: 2680)
      • session_win.exe (PID: 8004)
      • elev_win.exe (PID: 7428)
      • elev_win.exe (PID: 3536)
      • session_win.exe (PID: 8944)
      • elev_win.exe (PID: 9064)
      • session_win.exe (PID: 5632)
      • elev_win.exe (PID: 508)
      • session_win.exe (PID: 5964)

    • Application launched itself

      • msedge.exe (PID: 8108)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 8108)

    • Reads the computer name

      • identity_helper.exe (PID: 6536)
      • Voicemailaudio222896.scr (PID: 1432)
      • SimpleService.exe (PID: 7828)
      • SimpleService.exe (PID: 8700)
      • SimpleService.exe (PID: 7760)
      • Remote Access.exe (PID: 6444)
      • Remote Access.exe (PID: 2480)
      • session_win.exe (PID: 6200)
      • session_win.exe (PID: 2312)
      • session_win.exe (PID: 2680)
      • session_win.exe (PID: 8720)
      • session_win.exe (PID: 3188)
      • session_win.exe (PID: 5964)
      • session_win.exe (PID: 8004)
      • session_win.exe (PID: 8944)
      • session_win.exe (PID: 5632)

    • SIMPLEHELP has been detected

      • Voicemailaudio222896.scr (PID: 1432)
      • icacls.exe (PID: 7204)
      • Remote Access.exe (PID: 6444)
      • SimpleService.exe (PID: 7828)
      • SimpleService.exe (PID: 8700)
      • SimpleService.exe (PID: 7760)
      • Remote Access.exe (PID: 2480)
      • icacls.exe (PID: 7104)

    • Creates files in the program directory

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote AccessLauncher.exe (PID: 5528)
      • Remote Access.exe (PID: 6444)
      • Remote Access Service.exe (PID: 1856)
      • Remote Access.exe (PID: 2480)

    • Checks proxy server information

      • Voicemailaudio222896.scr (PID: 1432)
      • slui.exe (PID: 8648)

    • Reads security settings of Internet Explorer

      • Voicemailaudio222896.scr (PID: 1432)
      • netsh.exe (PID: 3628)
      • netsh.exe (PID: 6444)

    • Creates files or folders in the user directory

      • Voicemailaudio222896.scr (PID: 1432)

    • The sample compiled with english language support

      • Voicemailaudio222896.scr (PID: 1432)

    • Process checks computer location settings

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote AccessLauncher.exe (PID: 5528)
      • Remote Access.exe (PID: 6444)
      • Remote Access.exe (PID: 2480)

    • Reads CPU info

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote AccessLauncher.exe (PID: 5528)
      • Remote Access.exe (PID: 6444)
      • Remote Access.exe (PID: 2480)

    • Create files in a temporary directory

      • Remote AccessLauncher.exe (PID: 5528)
      • Voicemailaudio222896.scr (PID: 1432)
      • Remote Access.exe (PID: 6444)

    • Reads the machine GUID from the registry

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote Access.exe (PID: 2480)

    • Creates a software uninstall entry

      • Voicemailaudio222896.scr (PID: 1432)
      • Remote Access.exe (PID: 6444)

    • There is functionality for taking screenshot (YARA)

      • Remote Access.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
98
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs voicemailaudio222896.scr no specs THREAT voicemailaudio222896.scr windowslauncher.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs remote accesslauncher.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs remote access.exe icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs simpleservice.exe no specs simpleservice.exe no specs THREAT simpleservice.exe no specs THREAT remote access service.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs THREAT remote access.exe icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs msedge.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs msedge.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs msedge.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs THREAT session_win.exe no specs elev_win.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
508"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4292,i,12156129405847830654,3020221368786845165,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
508"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-Remote Access-00118607124-complete\elev_win.exe" "--mouselocation" C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-Remote Access-00118607124-complete\elev_win.exesession_win.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1879
Version:
5.5.14.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access bundle-00118607124\jwrapper-remote access-00118607124-complete\elev_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1424icacls "C:\ProgramData\JWrapper-Remote Access\JWApps" /t /c /grant *S-1-5-32-545:(OI)(CI)RXC:\Windows\System32\icacls.exeRemote Access.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
1432"C:\Users\admin\Downloads\Voicemailaudio222896.scr" /SC:\Users\admin\Downloads\Voicemailaudio222896.scr
msedge.exe
User:
admin
Company:
SimpleHelp Ltd
Integrity Level:
HIGH
Description:
SimpleHelp Remote Access Client
Exit code:
0
Version:
5.5.14.0
Modules
Images
c:\users\admin\downloads\voicemailaudio222896.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32full.dll
1520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-Remote Access-00118607124-complete\elev_win.exe" "--mouselocation" C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-Remote Access-00118607124-complete\elev_win.exesession_win.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1616
Version:
5.5.14.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access bundle-00118607124\jwrapper-remote access-00118607124-complete\elev_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1824"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-Remote Access-00118607124-complete\elev_win.exe" "--mouselocation" C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-Remote Access-00118607124-complete\elev_win.exesession_win.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
1616
Version:
5.5.14.0
Modules
Images
c:\programdata\jwrapper-remote access\jwrapper-remote access bundle-00118607124\jwrapper-remote access-00118607124-complete\elev_win.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1856"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe"C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe
SimpleService.exe
User:
SYSTEM
Company:
SimpleHelp Ltd
Integrity Level:
SYSTEM
Description:
SimpleHelp Remote Access Client
Exit code:
0
Version:
5.5.14.0
Modules
Images
c:\programdata\jwrapper-remote access\jwappssharedconfig\simplegatewayservice\remote access service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\win32u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winhttp.dll
1884icacls "C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\SimpleGatewayService\Remote Access Service.exe" /t /c /grant *S-1-5-32-545:RXC:\Windows\System32\icacls.exeRemote Access.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
8 951
Read events
8 883
Write events
52
Delete events
16

Modification events

(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:EstimatedSize
Value:
116387
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:UninstallString
Value:
"C:\ProgramData\JWrapper-Remote Access\Remote AccessWinLauncher.exe" JWVAPP JWRAPPER_UNINSTALLER
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:DisplayName
Value:
Remote Access
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:DisplayIcon
Value:
"C:\ProgramData\JWrapper-Remote Access\JWApps\Remote_Access_ConfigureICO.ico"
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:InstallLocation
Value:
"C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00118607124\JWrapper-JWrapper-00118607049-complete"
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:URLUpdateInfo
Value:
http://172.86.126.246/access/
(PID) Process:(1432) Voicemailaudio222896.scrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Access
Operation:writeName:DisplayVersion
Value:
5.5.14.0
Executable files
116
Suspicious files
136
Text files
308
Unknown types
36

Dropped files

PID
Process
Filename
Type
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e514a.TMP
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e515a.TMP
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e515a.TMP
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e515a.TMP
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e515a.TMP
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
8108msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
206
TCP/UDP connections
74
DNS requests
78
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
msedge.exe
GET
200
2.16.241.222:443
https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json
unknown
binary
665 Kb
whitelisted
3384
msedge.exe
GET
200
188.114.97.3:443
https://kelvrix.cfd/favicon.ico
unknown
html
1.24 Kb
unknown
3384
msedge.exe
GET
200
188.114.97.3:443
https://kelvrix.cfd/Audio-wav/voicemail.html
unknown
html
1.24 Kb
unknown
3384
msedge.exe
GET
302
188.114.97.3:443
https://kelvrix.cfd/Audio-wav/voicemail.html
unknown
html
142 b
unknown
3384
msedge.exe
GET
200
188.114.97.3:443
https://kelvrix.cfd/?v=c3cd&session=1f3a8ceefa10933c5635f8ca80d1a4b1&ray=2d85180f4afd4417&ts=1771602884&geo=US&ver=4.2.0
unknown
html
7.74 Kb
unknown
3384
msedge.exe
GET
304
150.171.28.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
unknown
whitelisted
3384
msedge.exe
GET
200
188.114.97.3:443
https://kelvrix.cfd/?v=12de6&session=6900b6203f08e931e9144d8404105f20&ray=d509df02744415f4&ts=1771602884&geo=US&ver=4.2.0
unknown
html
8.79 Kb
unknown
3384
msedge.exe
GET
200
13.107.246.45:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v1/GetGlobalConfig?EdgeChannel=stable&EdgeVersion=133.0.3065.92&ConfigVersion=0
unknown
text
393 Kb
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8628
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
2.16.241.207:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3384
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3384
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
  • 20.189.173.13
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 2.16.241.207
  • 2.16.241.216
  • 2.16.241.218
  • 2.16.241.206
  • 2.16.241.205
  • 2.16.241.222
  • 92.123.104.26
  • 92.123.104.31
  • 92.123.104.34
  • 92.123.104.32
  • 92.123.104.29
  • 92.123.104.30
  • 92.123.104.24
  • 92.123.104.36
  • 92.123.104.33
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
kelvrix.cfd
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

PID
Process
Class
Message
3384
msedge.exe
Misc activity
ET INFO Observed DNS Query to .cfd TLD
3384
msedge.exe
Misc activity
ET INFO Observed DNS Query to .cfd TLD
3384
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3384
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3384
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3384
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3384
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
3384
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
3384
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
3384
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://kelvrix.cfd/Audio-wav/voicemail.html