Malware analysis yip.su Malicious activity | ANY.RUN

Add for printing

URL:	yip.su
Full analysis:	https://app.any.run/tasks/50e56fc2-9bf6-424e-bce6-8fc28c8a9244
Verdict:	Malicious activity
Analysis date:	July 06, 2025, 04:08:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MD5:	A6F016F7668499909608687DF16A154E
SHA1:	4E9A1EEF6FEFB378D8EE06B9D9587665AFA64D02
SHA256:	ED10E4D3FD871EBD45B24B6B56072CE78B4A558E435A1B0ED9E4CE8E4A83E322
SSDEEP:	3:91:j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Potential Corporate Privacy Violation
  - msedge.exe (PID: 5012)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

1

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
5012	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --webtransport-developer-mode --string-annotations --always-read-main-dll --field-trial-handle=2180,i,6161488519127897921,10116046693238162506,262144 --variations-seed-version --mojo-platform-channel-handle=2512 /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 133.0.3065.92

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

4

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
5012	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\50ff50c6-4f52-46b0-8de1-11820c7c7c8f.tmp		binary
		MD5:F054A7D6E382DF24018FE84986B710A2	SHA256:4E5235C6B40BCE6C5FD0554D554FCDB38E8016DCDDFA9CAB63103407CAF8DAEB
5012	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State		binary
		MD5:F054A7D6E382DF24018FE84986B710A2	SHA256:4E5235C6B40BCE6C5FD0554D554FCDB38E8016DCDDFA9CAB63103407CAF8DAEB
5012	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RFcaca1.TMP		binary
		MD5:8CA6AC4CD0D4F8B2EA5A9FC6FD4311D7	SHA256:EE810A451AEA499C3D6F89EDB840ED025DF0937874485A211A3BB39F915F4EA0
5012	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b5		binary
		MD5:ED814DB680DCE5BAF71A913825117042	SHA256:051874E37194F6573CDF2FEB40D67E698ECF39B52648E39F6AAC62E0C4D547AE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

134

TCP/UDP connections

88

DNS requests

62

Threats

18

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	—	2.23.181.156:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	whitelisted
—	—	POST	—	2.23.181.156:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	whitelisted
—	—	POST	—	2.23.181.156:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	whitelisted
—	—	POST	—	2.23.181.156:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	whitelisted
—	—	POST	—	2.23.181.156:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	whitelisted
—	—	POST	—	2.23.181.156:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	whitelisted
—	—	HEAD	200	23.212.222.21:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
—	—	GET	200	23.212.222.21:443	https://fs.microsoft.com/fs/windows/config.json	unknown	binary	55 b	whitelisted
—	—	POST	200	40.126.31.2:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	40.126.31.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5324	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	224.0.0.251:5353	—	—	—	unknown
4900	svchost.exe	23.48.23.66:80	msedge.b.tlu.dl.delivery.mp.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	95.100.186.9:443	go.microsoft.com	AKAMAI-AS	FR	whitelisted
5012	msedge.exe	2.16.204.141:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4900	svchost.exe	23.212.222.21:443	fs.microsoft.com	AKAMAI-AS	AU	whitelisted
5012	msedge.exe	188.114.96.3:443	yip.su	CLOUDFLARENET	NL	whitelisted
6360	svchost.exe	40.126.31.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com	23.48.23.66 23.48.23.7 2.16.168.112 2.16.168.108 199.232.214.172 199.232.210.172	whitelisted
go.microsoft.com	95.100.186.9	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	2.16.204.141 2.16.204.161 2.16.241.218 2.16.241.201	whitelisted
fs.microsoft.com	23.212.222.21	whitelisted
yip.su	188.114.96.3 188.114.97.3	whitelisted
login.live.com	40.126.31.128 20.190.159.129 40.126.31.0 20.190.159.131 20.190.159.4 40.126.31.3 20.190.159.75 40.126.31.73	whitelisted
iplogger.org	172.67.74.161 104.26.2.46 104.26.3.46	whitelisted
a.nel.cloudflare.com	35.190.80.1	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
—	—	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in DNS Lookup)
—	—	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in DNS Lookup)
—	—	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in TLS SNI)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in TLS SNI)
—	—	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in TLS SNI)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in TLS SNI)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge

Add for printing

No debug info

General Info

yip.su

A6F016F7668499909608687DF16A154E

4E9A1EEF6FEFB378D8EE06B9D9587665AFA64D02

ED10E4D3FD871EBD45B24B6B56072CE78B4A558E435A1B0ED9E4CE8E4A83E322

3:91:j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Potential Corporate Privacy Violation

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings