File name:

047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe

Full analysis: https://app.any.run/tasks/f1496524-64ac-45af-8525-d802fae5cc20
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: March 19, 2024, 15:27:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
imminent
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

E04213F27F4E2C763E0B8910F7743AF3

SHA1:

2707A70BFB085112CB02C82C738F752A4E789825

SHA256:

047FCF6CF1E83002C31D9725F92ABE3014BCB0A65A3078DCC6467036BA792547

SSDEEP:

6144:wfw6vJO15D23t9gFQntu8NU17PMULVTLbTAj6bvVkttb6Qhtgdo0SY:wfw6ROq9gunY8NaMMpTAgdk5YSY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Imminent RAT is detected

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Changes the autorun value in the registry

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • The process creates files with name similar to system file names

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Reads security settings of Internet Explorer

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Reads the date of Windows installation

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Non-standard symbols in registry

      • Taskmgr.exe (PID: 2064)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 3556)

    • Connects to unusual port

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

  • INFO

    • Checks supported languages

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Reads the computer name

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Reads the machine GUID from the registry

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Creates files or folders in the user directory

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)
      • Taskmgr.exe (PID: 2064)

    • Process checks computer location settings

      • 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe (PID: 4732)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 2064)

    • Checks proxy server information

      • slui.exe (PID: 6600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:18 19:12:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 179712
InitializedDataSize: 694784
UninitializedDataSize: -
EntryPoint: 0x2007b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #IMMINENT 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe conhost.exe no specs taskmgr.exe no specs taskmgr.exe wmiapsrv.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2064"C:\WINDOWS\SysWOW64\Taskmgr.exe" C:\Windows\SysWOW64\Taskmgr.exe
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
3556C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\loadperf.dll
4272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4732"C:\Users\admin\AppData\Local\Temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe" C:\Users\admin\AppData\Local\Temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
6600C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6944"C:\Windows\System32\Taskmgr.exe" C:\Windows\SysWOW64\Taskmgr.exe047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
9 242
Read events
9 116
Write events
125
Delete events
1

Modification events

(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Clients
Operation:writeName:PID
Value:
4732
(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost
Value:
C:\Users\admin\AppData\Roaming\svchost\svchost.exe
(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost
Value:
\svchost\svchost.exe
(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4732) 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2064) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(3556) WmiApSrv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance
Operation:writeName:Performance Refreshed
Value:
0
(PID) Process:(2064) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000009C0000009C0000001702000010020000010000000000008000000080D8010080DF010080000100010000008000000080A802008058020080E803000000000000000000000F00000001000000B4DE4E000000000000000000EA000000000000008990000000000000FF000000010150020D000000F0DE4E0000000000FFFFFFFF96000000000000008B9000000100000000000000001010010300000004DF4E0000000000FFFFFFFF78000000000000008C900000020000000000000001021200040000001CDF4E0000000000FFFFFFFF96000000000000008D900000030000000000000000011001020000003CDF4E0000000000FFFFFFFF32000000000000008A9000000400000000000000000820010500000050DF4E0000000000FFFFFFFFC8000000000000008E9000000500000000000000000110010600000074DF4E0000000000FFFFFFFF04010000000000008F9000000600000000000000000110010700000098DF4E0000000000FFFFFFFF49000000490000009090000007000000000000000004250008000000D8DE4E0000000000FFFFFFFF49000000490000009190000008000000000000000004250009000000B8DF4E0000000000FFFFFFFF4900000049000000929000000900000000000000000425080A000000CCDF4E0000000000FFFFFFFF4900000049000000939000000A00000000000000000425080B000000E8DF4E0000000000FFFFFFFF490000004900000039A000000B00000000000000000425091C00000008E04E0000000000FFFFFFFFC8000000000000003AA000000C00000000000000000110091D00000030E04E0000000000FFFFFFFF64000000000000004CA000000D00000000000000000215081E00000050E04E0000000000FFFFFFFF64000000000000004DA000000E0000000000000000021508030000000A00000001000000B4DE4E000000000000000000D7000000000000008990000000000000FF00000001015002040000001CDF4E00000000000100000096000000000000008D9000000100000000000000010110000300000004DF4E0000000000FFFFFFFF64000000000000008C9000000200000000000000000210000C0000007CE04E0000000000030000006400000000000000949000000300000000000000010210000D000000A4E04E0000000000FFFFFFFF6400000000000000959000000400000000000000000110010E000000C8E04E0000000000050000003200000000000000969000000500000000000000010420010F000000F0E04E0000000000060000003200000000000000979000000600000000000000010420011000000010E14E0000000000070000004600000000000000989000000700000000000000010110011100000030E14E0000000000FFFFFFFF6400000000000000999000000800000000000000000110010600000074DF4E00000000000900000004010000000000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B00000001000000B4DE4E000000000000000000D7000000000000009E90000000000000FF000000010150021200000054E14E0000000000FFFFFFFF2D000000000000009B9000000100000000000000000420011400000074E14E0000000000FFFFFFFF64000000000000009D9000000200000000000000000110011300000098E14E0000000000FFFFFFFF64000000000000009C9000000300000000000000000110010300000004DF4E0000000000FFFFFFFF64000000000000008C9000000400000000000000010210000700000098DF4E00000000000500000049000000490000009090000005000000000000000104210008000000D8DE4E00000000000600000049000000490000009190000006000000000000000104210009000000B8DF4E0000000000070000004900000049000000929000000700000000000000010421080A000000CCDF4E0000000000080000004900000049000000939000000800000000000000010421080B000000E8DF4E000000000009000000490000004900000039A000000900000000000000010421091C00000008E04E00000000000A00000064000000000000003AA000000A000000000000000001100900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000800000001000000B4DE4E000000000000000000C600000000000000B090000000000000FF0000000101500215000000B8E14E0000000000FFFFFFFF6B00000000000000B190000001000000000000000004250016000000E4E14E0000000000FFFFFFFF6B00000000000000B29000000200000000000000000425001800000008E24E0000000000FFFFFFFF6B00000000000000B49000000300000000000000000425001700000030E24E0000000000FFFFFFFF6B00000000000000B39000000400000000000000000425001900000064E24E0000000000FFFFFFFFA000000000000000B59000000500000000000000000420011A00000090E24E0000000000FFFFFFFF7D00000000000000B69000000600000000000000000420011B000000C0E24E0000000000FFFFFFFF7D00000000000000B79000000700000000000000000420010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000006400000064000000320000005000000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000050000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000640000003200000078000000500000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000010000000000
Executable files
2
Suspicious files
1
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
4732047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeC:\Users\admin\AppData\Roaming\svchost\svchost.exeexecutable
MD5:E04213F27F4E2C763E0B8910F7743AF3
SHA256:047FCF6CF1E83002C31D9725F92ABE3014BCB0A65A3078DCC6467036BA792547
4732047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeC:\Users\admin\AppData\Roaming\Imminent\Logs\19-03-2024text
MD5:33BE604F8044D5984E8E3E3B694D710A
SHA256:3F785F1CC535B0987139623200C7910B2B28F92DFE3309E8E071C091D0CE7313
4732047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeC:\svchost\svchost.exeexecutable
MD5:E04213F27F4E2C763E0B8910F7743AF3
SHA256:047FCF6CF1E83002C31D9725F92ABE3014BCB0A65A3078DCC6467036BA792547
4732047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeC:\Users\admin\AppData\Roaming\Imminent\Path.datbinary
MD5:3F8450E3A091362AA2E1B7E58A28C095
SHA256:EA854E3FE3989140A5F17136E0ADBEEAAC5C2CC3555D1FCE8E84C0708C231B0A
2064Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\e313ddc235b088d6\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valbinary
MD5:AEA4F521B527615E27F4718F4D58ADD1
SHA256:280C7D47E5CAD7D6208B6572F17E0099AB15E2C1DD1E824C9DBA87E279AA2C53
4732047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeC:\Users\admin\AppData\Roaming\Imminent\Monitoring\system.datbinary
MD5:943CC79FECB70E13170E2E7EEB72EA46
SHA256:473953728FCA0668543D358DC3741E5212EBCB745F0D2562D46302D70D9725BD
2064Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\e313ddc235b088d6\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
4732047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exeC:\Users\admin\AppData\Roaming\Imminent\Monitoring\network.datbinary
MD5:DD4E7843792672EDCE38000E31F9F0BC
SHA256:9DA06E259BF0F0335B38C88586706EE5C6E3996181CC811FA31499477127D9E1
2064Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\e313ddc235b088d6\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxbinary
MD5:09C22002C807370C27681FBB1E76D387
SHA256:09D981C774EE5623A9439AE02458477937C011552F2E01C1BF48D75100E689BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
67
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4288
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
3176
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
6140
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3996
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3996
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4732
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
147.185.221.16:55578
PLAYIT-GG
US
malicious
3996
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3996
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
3176
SIHClient.exe
52.165.165.26:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4288
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.67
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
206.23.85.13.in-addr.arpa
unknown
nexusrules.officeapps.live.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe