File name:

MPXTool 3.19.52.zip

Full analysis: https://app.any.run/tasks/43a5b9fd-c427-404c-acb7-c1977ebba5e4
Verdict: Malicious activity
Analysis date: January 06, 2026, 22:43:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
delphi
upx
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

A469583A5209D6E458B684872818E2AD

SHA1:

AA8AC684934CE031E1BFFC67BDDA465B92FE8FFF

SHA256:

F4AFCEECF4912B703C208F78306E7D0E77B0FD92CACC8ECB1F6A072AD2459A12

SSDEEP:

196608:ErD/xThxyOWgfPRyCYkd3LGa3XRVDxpcmIsnQVFWe4pEgxTV1svi:Er7BSOWMR+kdbGa3BvWmzQXGpPtVT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7576)

    • Executing a file with an untrusted certificate

      • NfRemote.exe (PID: 7724)
      • MpxToolNfApp.exe (PID: 5356)
      • MpxTool_installer_3.19.52.exe (PID: 6300)
      • MpxTool_installer_3.19.52.exe (PID: 6908)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • There is functionality for taking screenshot (YARA)

      • MpxTool_patch_3.19.52_V3.exe (PID: 7996)
      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Executable content was dropped or overwritten

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Reads security settings of Internet Explorer

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Uses REG/REGEDIT.EXE to modify registry

      • MpxTool_installer_3.19.52.exe (PID: 6908)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7576)

    • The sample compiled with french language support

      • WinRAR.exe (PID: 7576)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7576)
      • MpxTool_installer_3.19.52.exe (PID: 6908)
      • NfRemote.exe (PID: 7724)

    • Reads the computer name

      • MpxTool_patch_3.19.52_V3.exe (PID: 7996)
      • NfRemote.exe (PID: 7724)
      • identity_helper.exe (PID: 2228)
      • MpxToolNfApp.exe (PID: 5356)
      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Manual execution by a user

      • MpxTool_patch_3.19.52_V3.exe (PID: 7996)
      • MpxTool_patch_3.19.52_V3.exe (PID: 7944)
      • MpxTool_installer_3.19.52.exe (PID: 6300)
      • MpxTool_installer_3.19.52.exe (PID: 6908)
      • msedge.exe (PID: 8104)
      • MpxToolNfApp.exe (PID: 5356)

    • Checks supported languages

      • MpxTool_patch_3.19.52_V3.exe (PID: 7996)
      • NfRemote.exe (PID: 7724)
      • MpxToolNfApp.exe (PID: 5356)
      • identity_helper.exe (PID: 2228)
      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • UPX packer has been detected

      • MpxTool_patch_3.19.52_V3.exe (PID: 7996)

    • Compiled with Borland Delphi (YARA)

      • MpxTool_patch_3.19.52_V3.exe (PID: 7996)

    • Process checks computer location settings

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Creates a software uninstall entry

      • MpxTool_installer_3.19.52.exe (PID: 6908)
      • NfRemote.exe (PID: 7724)

    • Creates files or folders in the user directory

      • MpxTool_installer_3.19.52.exe (PID: 6908)
      • NfRemote.exe (PID: 7724)
      • MpxToolNfApp.exe (PID: 5356)

    • Application launched itself

      • msedge.exe (PID: 7900)
      • msedge.exe (PID: 7700)
      • msedge.exe (PID: 8104)

    • Reads Environment values

      • identity_helper.exe (PID: 2228)

    • Checks proxy server information

      • slui.exe (PID: 7868)

    • Creates files in the program directory

      • MpxTool_installer_3.19.52.exe (PID: 6908)

    • Create files in a temporary directory

      • MpxTool_installer_3.19.52.exe (PID: 6908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:07:12 10:35:32
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MpxTool 3.19.52/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
34
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe mpxtool_patch_3.19.52_v3.exe no specs mpxtool_patch_3.19.52_v3.exe mpxtool_installer_3.19.52.exe no specs mpxtool_installer_3.19.52.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs regedit.exe no specs netsh.exe no specs conhost.exe no specs nfremote.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs mpxtoolnfapp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
404"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffd70abf208,0x7ffd70abf214,0x7ffd70abf220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1844"C:\WINDOWS\system32\netsh.exe" advfirewall firewall add rule name="MpxTool App" dir=in action=allow program="C:\Program Files\MpxToolNf\MpxToolNfApp.exe" enable=yesC:\Windows\SysWOW64\netsh.exeMpxTool_installer_3.19.52.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2228"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5836,i,13330538212367897682,10590349607989805820,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2252"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2468,i,13330538212367897682,10590349607989805820,262144 --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2872"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2360,i,9700365127855759165,350356939104742687,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3088"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5204,i,13330538212367897682,10590349607989805820,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4552"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5200,i,13330538212367897682,10590349607989805820,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4968"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2712,i,13330538212367897682,10590349607989805820,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5356"C:\Program Files\MpxToolNf\MpxToolNfApp.exe" C:\Program Files\MpxToolNf\MpxToolNfApp.exeexplorer.exe
User:
admin
Company:
Leif Claesson
Integrity Level:
MEDIUM
Description:
MpxToolNf
Exit code:
0
Version:
3.19.52.0
Modules
Images
c:\program files\mpxtoolnf\mpxtoolnfapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5700"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5836,i,13330538212367897682,10590349607989805820,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
Total events
7 842
Read events
7 793
Write events
49
Delete events
0

Modification events

(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\MPXTool 3.19.52.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
8
Suspicious files
63
Text files
158
Unknown types
0

Dropped files

PID
Process
Filename
Type
7576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7576.5769\MpxTool 3.19.52\MpxTool_installer_3.19.52.exeexecutable
MD5:EA16CFC7F7465F14B034D5B732C7A371
SHA256:007B82CB877EAC4E60194B2C0A807E1FF7D61018B93DE7F644A6B141CA701CD9
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\MpxToolNfSvc.exebinary
MD5:B314F22C13C16FACBF82B5E935E7E111
SHA256:ABFD4A26F177B48915300E26FFE05C2454B862FABD8A35DDD375DC3BCCE48D2B
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\MpxToolNfApp.initext
MD5:36B8FEBEE2498BB93B021636BB00EB7B
SHA256:0693E0C03C2C1BA88BE9536D63AE79C15B4477C69B6287A2139BDFD4FF546890
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\QSG\qsg1_icons.pngimage
MD5:F00003D77D62448D4B0F5102A210CA9E
SHA256:3F70FBBEBDF931121C5CF8DEF423D5AC93961872145C07645609293DCDB500B5
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\MpxToolNfSvc.initext
MD5:36B8FEBEE2498BB93B021636BB00EB7B
SHA256:0693E0C03C2C1BA88BE9536D63AE79C15B4477C69B6287A2139BDFD4FF546890
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\MpxtoolNf.icoimage
MD5:9F96D61A8E02DEFA34F3EBFBF801C800
SHA256:3F5119E702BAE6A73946AF42DD41C4B1D903F0F5CDBF7FDE08748CC1A194705F
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\QSG\MpxTool QSG.htmlhtml
MD5:25A1F9220BC394D33976B94CB15758C6
SHA256:0B14DFD0BFE53CFD8E1F1679BD07AEC4483C529FF5488B58838C478C84B6B179
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\service_off.icoimage
MD5:E235A829DB27E9CA561F44AD5BE5AAD4
SHA256:5BF61F4342F0E1CD2E427DF6B8541018E54278006E51B67F4C31F6DAB67245EB
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\config.icoimage
MD5:55DCF079B63EF98C7D2639730028F207
SHA256:BD6F32A0175FF10568C79B9F3F875195989F0FDAB0A569279D4349E2AA2293E9
6908MpxTool_installer_3.19.52.exeC:\Program Files\MpxToolNf\service_on.icoimage
MD5:C38747549C8BC9CE1CCF7CC4A235ED56
SHA256:101D134BEAF9A5087B0AC2DA4A71208FC68DA2248681ADB6EE04785F5105C171
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
47
DNS requests
39
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
1156
SIHClient.exe
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
1156
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
1156
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
6296
svchost.exe
GET
200
184.24.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6296
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.51 Kb
whitelisted
6296
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6296
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
1.43 Kb
whitelisted
800
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6296
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1412
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6296
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6296
svchost.exe
184.24.77.10:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6296
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.10
  • 184.24.77.14
  • 184.24.77.11
  • 184.24.77.33
  • 184.24.77.9
  • 184.24.77.35
  • 184.24.77.12
  • 184.24.77.13
  • 184.24.77.36
  • 184.24.77.37
  • 184.24.77.29
  • 184.24.77.34
  • 184.24.77.23
  • 184.24.77.41
  • 184.24.77.30
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 23.59.18.102
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.22
  • 20.190.160.67
  • 40.126.32.72
  • 20.190.160.65
  • 20.190.160.66
  • 20.190.160.130
  • 20.190.160.132
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MPXTool 3.19.52.zip