| URL: | |
| Full analysis: | https://app.any.run/tasks/91d74931-5e00-4ee8-b179-f522c1b6725e |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker>>> |
| Analysis date: | February 17, 2025, 17:00:43 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | zephyr miner evasion loader github |
| Indicators: | |
| MD5: | D99FC04195AAFE4CE63FE64C186D97A5 |
| SHA1: | 87A5383C823093D5B9FDD85B2B2C642B8552C2F9 |
| SHA256: | 0B951ADA8FB3D65886DDE7285E63022C442D9F65838A82C418367349E3F012BE |
| SSDEEP: | 12:2hRUpiFGK7dUP8AUnsU533f+bm/HaXa3poBC:2qiFGKRQ4nzZ/8OuBC |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
Adds path to the Windows Defender exclusion list
- printui.exe (PID: 8040)
- cmd.exe (PID: 7812)
- svchost.exe (PID: 7124)
- cmd.exe (PID: 7304)
- cmd.exe (PID: 7604)
- cmd.exe (PID: 2260)
- cmd.exe (PID: 5460)
- x383329.exe (PID: 7980)
- cmd.exe (PID: 6096)
- cmd.exe (PID: 2416)
- x383329.exe (PID: 3920)
- cmd.exe (PID: 7476)
- cmd.exe (PID: 8060)
- cmd.exe (PID: 5028)
- printui.exe (PID: 4012)
ZEPHYR has been detected
- printui.exe (PID: 8040)
- x383329.exe (PID: 3920)
- printui.exe (PID: 4012)
Creates or modifies Windows services
- reg.exe (PID: 7500)
- reg.exe (PID: 3680)
Starts CMD.EXE for self-deleting
- printui.exe (PID: 8040)
- printui.exe (PID: 5752)
- x383329.exe (PID: 3920)
- printui.exe (PID: 4012)
Uses Task Scheduler to autorun other applications
- cmd.exe (PID: 3640)
SUSPICIOUS
Process drops legitimate windows executable
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- printui.exe (PID: 8040)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
- x383329.exe (PID: 3920)
Reads security settings of Internet Explorer
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
Executable content was dropped or overwritten
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- printui.exe (PID: 8040)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
- svchost.exe (PID: 7124)
- cmd.exe (PID: 7240)
- x383329.exe (PID: 3920)
- printui.exe (PID: 5752)
- printui.exe (PID: 4012)
There is functionality for taking screenshot (YARA)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 7304)
- cmd.exe (PID: 5096)
- cmd.exe (PID: 7752)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7304)
- cmd.exe (PID: 5096)
- cmd.exe (PID: 7812)
- cmd.exe (PID: 7304)
- cmd.exe (PID: 5460)
- cmd.exe (PID: 7604)
- cmd.exe (PID: 2260)
- cmd.exe (PID: 7752)
- cmd.exe (PID: 6096)
- cmd.exe (PID: 2416)
- cmd.exe (PID: 7476)
- cmd.exe (PID: 8060)
- cmd.exe (PID: 5028)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 2420)
- powershell.exe (PID: 7704)
- powershell.exe (PID: 2168)
Starts CMD.EXE for commands execution
- printui.exe (PID: 8040)
- printui.exe (PID: 7220)
- console_zero.exe (PID: 2904)
- svchost.exe (PID: 7124)
- printui.exe (PID: 5752)
- x383329.exe (PID: 7980)
- x383329.exe (PID: 3920)
- printui.exe (PID: 4012)
Starts SC.EXE for service management
- cmd.exe (PID: 5616)
- cmd.exe (PID: 7280)
- cmd.exe (PID: 7596)
- cmd.exe (PID: 8172)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 7812)
- cmd.exe (PID: 7304)
- cmd.exe (PID: 7604)
- cmd.exe (PID: 5460)
- cmd.exe (PID: 2260)
- cmd.exe (PID: 6096)
- cmd.exe (PID: 2416)
- cmd.exe (PID: 7476)
- cmd.exe (PID: 8060)
- cmd.exe (PID: 5028)
Creates a new Windows service
- sc.exe (PID: 4128)
- sc.exe (PID: 7016)
Windows service management via SC.EXE
- sc.exe (PID: 7836)
- sc.exe (PID: 5992)
- sc.exe (PID: 5388)
The process drops C-runtime libraries
- printui.exe (PID: 8040)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 5616)
- cmd.exe (PID: 8172)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 4668)
- cmd.exe (PID: 7240)
- cmd.exe (PID: 7644)
- cmd.exe (PID: 3812)
- cmd.exe (PID: 8164)
- cmd.exe (PID: 3828)
Checks for external IP
- svchost.exe (PID: 2192)
- svchost.exe (PID: 7124)
Potential Corporate Privacy Violation
- svchost.exe (PID: 7124)
Connects to unusual port
- svchost.exe (PID: 7124)
Stops a currently running service
- sc.exe (PID: 7652)
Created directory related to system
- cmd.exe (PID: 1328)
The process deletes folder without confirmation
- printui.exe (PID: 4012)
INFO
Manual execution by a user
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- Taskmgr.exe (PID: 5092)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
- Taskmgr.exe (PID: 2416)
Executable content was dropped or overwritten
- msedge.exe (PID: 6188)
- msedge.exe (PID: 6772)
Reads the computer name
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- identity_helper.exe (PID: 4968)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
- console_zero.exe (PID: 2904)
- x383329.exe (PID: 3920)
Checks supported languages
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- identity_helper.exe (PID: 4968)
- printui.exe (PID: 8040)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- printui.exe (PID: 7220)
- console_zero.exe (PID: 2904)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
- printui.exe (PID: 5752)
- x383329.exe (PID: 7980)
- x383329.exe (PID: 3920)
- printui.exe (PID: 4012)
- console_zero.exe (PID: 8144)
Reads Environment values
- identity_helper.exe (PID: 4968)
Create files in a temporary directory
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
Application launched itself
- msedge.exe (PID: 6188)
The sample compiled with english language support
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- printui.exe (PID: 8040)
- msedge.exe (PID: 6772)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
- x383329.exe (PID: 3920)
Process checks computer location settings
- 14031106.Taha.printui.sfx.hide.exe (PID: 7916)
- 14031106.Taha.printui.sfx.hide.exe (PID: 7256)
- 14031106.Taha.printui.sfx.hide.exe (PID: 3172)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 2420)
- powershell.exe (PID: 7704)
- powershell.exe (PID: 1328)
- powershell.exe (PID: 7492)
- powershell.exe (PID: 7724)
- powershell.exe (PID: 7120)
- powershell.exe (PID: 4544)
- powershell.exe (PID: 1520)
- powershell.exe (PID: 2168)
- powershell.exe (PID: 6952)
- powershell.exe (PID: 512)
- powershell.exe (PID: 5208)
- powershell.exe (PID: 6028)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 2420)
- powershell.exe (PID: 7704)
- powershell.exe (PID: 1328)
- powershell.exe (PID: 7492)
- powershell.exe (PID: 4544)
- powershell.exe (PID: 7120)
- powershell.exe (PID: 7724)
- powershell.exe (PID: 2168)
- powershell.exe (PID: 1520)
- powershell.exe (PID: 6952)
- powershell.exe (PID: 512)
- powershell.exe (PID: 5208)
- powershell.exe (PID: 6028)
Reads security settings of Internet Explorer
- Taskmgr.exe (PID: 2416)
Creates a new folder
- cmd.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportNo Malware configuration.
No data.
Total processes
292
Monitored processes
157
Malicious processes
11
Suspicious processes
15
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6188 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://uc22f1ca5d44f4171d6f2d576b30.dl.dropboxusercontent.com/cd/0/get/CkSg2POFZ1BRtl90Sqy4TBdVf8P-3St5kBjXyNFxX4YUDFmJEwQjBjJmdVQUJPN5oG92D3FAi8g6aLwkqvOW4MC6hU71UBoR2cS8tUX8dk0LY2XpVYbu77M1yVoJZ66bFhkVZirKNwSA6crRn5DmC_nVqReL_59-tBfy4Ad6Zhk9BQ/file?_download_id=70944360161683334045893962059579770700465542134648149762750238834&_log_download_success=1&_notify_domain=www.dropbox.com&dl=1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6328 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7ff8175e5fd8,0x7ff8175e5fe4,0x7ff8175e5ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6520 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2308 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6528 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2484 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6552 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6796 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3464 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6824 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3576 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6948 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4072 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6956 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: Version: 122.0.2365.59 Modules
| |||||||||||||||
| 7068 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5256 --field-trial-handle=2320,i,17970776847083867909,10402957184852275615,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
79696
Read events
79664
Write events
29
Delete events
3
Modification events
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 9074F5BFEF8C2F00 | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: CA6306C0EF8C2F00 | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393900 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {FF052CFD-C7F0-46D7-AFA7-E4F4FCC0084E} | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393900 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {EF0B3DAE-6F92-4E53-9079-3B8624927371} | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393900 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {A7128E5C-1FAB-440B-B79C-A8DF1AC8A1CB} | |||
| (PID) Process: | (6188)msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 2FC332C0EF8C2F00 | |||
Executable files
40
Suspicious files
534
Text files
135
Unknown types
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF139a11.TMP | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF139a11.TMP | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF139a11.TMP | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF139a11.TMP | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF139a11.TMP | — | |
MD5:— | SHA256:— | |||
| 6188 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
63
TCP/UDP connections
84
DNS requests
86
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6068 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
8132 | svchost.exe | HEAD | 200 | 2.19.11.120:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1739887956&P2=404&P3=2&P4=ZgxecRhMPshp3%2fub%2b2wgR8t1kg5AitVErFWlXTJmmSaiHqi3Vf2YQPLL563fXQrJkdtedam5VP7RzcDsUaI%2fiw%3d%3d | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
8132 | svchost.exe | GET | 206 | 2.19.11.120:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1739887956&P2=404&P3=2&P4=ZgxecRhMPshp3%2fub%2b2wgR8t1kg5AitVErFWlXTJmmSaiHqi3Vf2YQPLL563fXQrJkdtedam5VP7RzcDsUaI%2fiw%3d%3d | unknown | — | — | whitelisted |
6068 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
8132 | svchost.exe | GET | 206 | 2.19.11.120:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1739887956&P2=404&P3=2&P4=ZgxecRhMPshp3%2fub%2b2wgR8t1kg5AitVErFWlXTJmmSaiHqi3Vf2YQPLL563fXQrJkdtedam5VP7RzcDsUaI%2fiw%3d%3d | unknown | — | — | whitelisted |
7456 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6068 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6068 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5064 | SearchApp.exe | 92.123.104.32:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
1176 | svchost.exe | 20.190.159.75:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1176 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Device Retrieving External IP Address Detected | ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
— | — | Device Retrieving External IP Address Detected | ET INFO External IP Lookup SSL Cert Observed (ipinfo .io) |
— | — | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
— | — | A suspicious string was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | A suspicious string was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
No debug info
