URL:

https://electrum-usdt.com/download/windows

Full analysis: https://app.any.run/tasks/f58e6f8b-826e-4a55-abff-dedaf1e45e65
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Analysis date: November 27, 2024, 13:35:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
advancedinstaller
loader
rat
rurat
Indicators:
MD5:

FA0F311E6B0AB38F3396FA04EAE69F21

SHA1:

5A3AFDC34CB9BE0840980D3DBD6B24A125EEF8F0

SHA256:

FC729E79B93A9FD9A967D68DA2167B10F3B978B975B81E42A8BAE102D8FAC3CC

SSDEEP:

3:N8WRXQ19MLdY:2b9M5Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • msiexec.exe (PID: 1988)
      • Electrum-usdt-4.7.5.exe (PID: 7568)
    • Run PowerShell with an invisible window

      • powershell.exe (PID: 644)
    • Changes powershell execution policy (RemoteSigned)

      • cmd.exe (PID: 7920)
    • Executing a file with an untrusted certificate

      • rfusclient.exe (PID: 372)
      • rutserv.exe (PID: 2136)
      • rutserv.exe (PID: 7708)
    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 5584)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3852)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • spoolsv.exe (PID: 7444)
      • setupdrv.exe (PID: 5116)
      • srvinst.exe (PID: 8024)
      • Electrum-usdt-4.7.5.exe (PID: 7568)
    • Process drops legitimate windows executable

      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • msiexec.exe (PID: 4540)
      • setupdrv.exe (PID: 5116)
      • Electrum-usdt-4.7.5.exe (PID: 7568)
    • Access to an unwanted program domain was detected

      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • msiexec.exe (PID: 1988)
      • Electrum-usdt-4.7.5.exe (PID: 7568)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7920)
      • msiexec.exe (PID: 5584)
    • Executing commands from a ".bat" file

      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • Electrum-usdt-4.7.5.exe (PID: 7568)
      • cmd.exe (PID: 4864)
      • cmd.exe (PID: 1496)
    • Starts CMD.EXE for commands execution

      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • powershell.exe (PID: 644)
      • powershell.exe (PID: 5500)
      • Electrum-usdt-4.7.5.exe (PID: 7568)
      • cmd.exe (PID: 4864)
      • cmd.exe (PID: 1496)
    • Starts process via Powershell

      • powershell.exe (PID: 644)
    • Kill processes via PowerShell

      • powershell.exe (PID: 4160)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 640)
      • cmd.exe (PID: 5484)
      • cmd.exe (PID: 7348)
      • powershell.exe (PID: 3852)
    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4540)
    • Connects to unusual port

      • rutserv.exe (PID: 8152)
    • Application launched itself

      • rfusclient.exe (PID: 4972)
      • Electrum-usdt-4.7.5.exe (PID: 4840)
      • cmd.exe (PID: 4864)
      • rutserv.exe (PID: 8152)
      • cmd.exe (PID: 1496)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7348)
      • powershell.exe (PID: 3852)
      • cmd.exe (PID: 4864)
      • cmd.exe (PID: 1496)
    • Connects to SMTP port

      • rutserv.exe (PID: 8152)
    • Potential Corporate Privacy Violation

      • msiexec.exe (PID: 4540)
    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 5584)
    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 5584)
    • The process executes Powershell scripts

      • msiexec.exe (PID: 5584)
    • Likely accesses (executes) a file from the Public directory

      • attrib.exe (PID: 7896)
      • attrib.exe (PID: 4828)
  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5972)
      • msedge.exe (PID: 4300)
      • msiexec.exe (PID: 4540)
    • Checks supported languages

      • identity_helper.exe (PID: 7788)
    • Reads Environment values

      • identity_helper.exe (PID: 7788)
    • Reads the computer name

      • identity_helper.exe (PID: 7788)
    • Application launched itself

      • msedge.exe (PID: 5972)
      • msedge.exe (PID: 7760)
    • Drops Remote Utils RAT executable file

      • msiexec.exe (PID: 4540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
335
Monitored processes
188
Malicious processes
5
Suspicious processes
12

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs electrum-usdt-4.7.5.exe no specs #ADVANCEDINSTALLER electrum-usdt-4.7.5.exe msedge.exe no specs msedge.exe no specs msiexec.exe #ADVANCEDINSTALLER msiexec.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs electrum-usdt-4.7.5.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs msiexec.exe no specs msiexec.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs tiworker.exe no specs searchapp.exe rfusclient.exe no specs rutserv.exe no specs rutserv.exe no specs rutserv.exe no specs mobsync.exe no specs srvinst.exe setupdrv.exe spoolsv.exe no specs setupdrv.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs spoolsv.exe srvinst.exe vpdagent.exe no specs rutserv.exe no specs cmd.exe no specs conhost.exe no specs rutserv.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rfusclient.exe no specs rfusclient.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs rfusclient.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs #ADVANCEDINSTALLER electrum-usdt-4.7.5.exe msiexec.exe no specs powershell.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe msedge.exe no specs mobsync.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs rutserv.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8attrib C:\Users\Public\hd.xml +s +hC:\Windows\SysWOW64\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
244C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Electrum-USDT\Electrum-USDT\prerequisites\7SecurityCenter.bat" "C:\Windows\SysWOW64\cmd.exeElectrum-usdt-4.7.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
372"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\admin\AppData\Roaming\Electrum-USDT\Electrum-USDT\prerequisites\RequiredApplication\set.msi"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exemsiexec.exe
User:
admin
Company:
Remote Utilities Pty (Cy) Ltd.
Integrity Level:
HIGH
Description:
Remote Utilities - Host
Exit code:
0
Version:
7.1.7.0
Modules
Images
c:\program files (x86)\remote utilities - host\rfusclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
544attrib +s +h "C:\Program Files (x86)\Remote Utilities - Host"C:\Windows\SysWOW64\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
640"C:\WINDOWS\system32\cmd.exe" /s,/c,REG ADD HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayItemsDisplay /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoTrayItemsDisplay /T REG_DWORD /D 1 /F & REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoTrayItemsDisplay /T REG_DWORD /D 1 /F C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
644powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/s,/c,REG ADD "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayItemsDisplay /t REG_DWORD /d 1 /f & REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /V NoTrayItemsDisplay /T REG_DWORD /D 1 /F & REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /V NoTrayItemsDisplay /T REG_DWORD /D 1 /F' -Verb runAs"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
876REG ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}" /v SystemComponent /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
968REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoTrayItemsDisplay /T REG_DWORD /D 1 /F C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1016C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Electrum-USDT\Electrum-USDT\prerequisites\10setup2.bat" "C:\Windows\SysWOW64\cmd.exeElectrum-usdt-4.7.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
1144ATTRIB -r "C:\Users\admin\AppData\Local\Temp\AIE26C2.tmp" C:\Windows\SysWOW64\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
97 745
Read events
96 494
Write events
1 220
Delete events
31

Modification events

(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5972) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
47470C537B862F00
(PID) Process:(5972) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
FFC216537B862F00
(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328536
Operation:writeName:WindowTabManagerFileMappingId
Value:
{F1EC7419-16B0-44CF-B91F-822B7F303FB8}
(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328536
Operation:writeName:WindowTabManagerFileMappingId
Value:
{A8A607A0-872B-4877-8F05-A3B49D20DA2F}
(PID) Process:(5972) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C07B73537B862F00
(PID) Process:(5972) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Executable files
98
Suspicious files
536
Text files
531
Unknown types
11

Dropped files

PID
Process
Filename
Type
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\fc3a17c9-e2a4-4dfb-999f-7c2d7b5ef218.tmp
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135854.TMP
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135854.TMP
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135854.TMP
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135854.TMP
MD5:
SHA256:
5972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
68
TCP/UDP connections
106
DNS requests
84
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5568
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7824
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/f4de835d-146f-44d0-9116-4cc8ed0455e7?P1=1733204195&P2=404&P3=2&P4=OlRsWJsgU%2fFXr4mA%2bF56o6R3hjjoKOhrT3SzNj%2bvKhQGGoY1Q8Na2KAJ8mlIBWIt%2bG5A4UYuCnbjfjXaxOAkwQ%3d%3d
unknown
whitelisted
7824
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e74ec02c-7f50-4b67-9a51-6cc67399bc04?P1=1733294819&P2=404&P3=2&P4=bDy6LQw2Q4LH7JSBugL84gng54yR%2f5n03g1RMuJi1KQ00nbmlUNxXyv%2f5Tgqa5949CmtSWwUwCgg2rm6OOqJXQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2548
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2548
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
432
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 104.126.37.170
  • 104.126.37.155
  • 104.126.37.160
  • 104.126.37.184
  • 104.126.37.128
  • 104.126.37.161
  • 104.126.37.168
  • 104.126.37.186
  • 104.126.37.185
  • 2.23.209.167
  • 2.23.209.178
  • 2.23.209.169
  • 2.23.209.174
  • 2.23.209.173
  • 2.23.209.175
  • 2.23.209.171
  • 2.23.209.168
  • 2.23.209.176
  • 2.23.209.150
  • 2.23.209.160
  • 2.23.209.166
  • 2.23.209.156
  • 2.23.209.158
  • 2.23.209.154
  • 2.23.209.162
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.179
  • 2.23.209.181
  • 2.23.209.153
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
electrum-usdt.com
  • 38.132.122.190
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Observed MSI Download
Potential Corporate Privacy Violation
ET HUNTING Suspicious Windows Installer UA for non-MSI
8 ETPRO signatures available at the full report
No debug info