File name:

xd-AntiSpy.zip

Full analysis: https://app.any.run/tasks/b1f3b08a-ec79-4f19-8d1f-6c03955736e8
Verdict: Malicious activity
Analysis date: July 04, 2024, 13:49:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

59533DA83D5CDB60C849E0E9EC30A53C

SHA1:

FD0AEA950C4C48ECA7547E2027529EEDDADAA199

SHA256:

06145E4A9BF0F9E70D06329CBA0ABA6A90BD635D8E297574FB7118DA2FDFDA20

SSDEEP:

12288:T1K+HPEro7aDOimgk2s6rRKv3UjtNYWLkmzLD/Gk5qjGW:T1wro7wOijk2s6tKv3UzYWLkmvD/GkI7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • xd-AntiSpy.exe (PID: 2728)
      • WinRAR.exe (PID: 3848)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • xd-AntiSpy.exe (PID: 2728)
      • GameBar.exe (PID: 4024)
      • StartMenuExperienceHost.exe (PID: 6340)

    • Executable content was dropped or overwritten

      • xd-AntiSpy.exe (PID: 2728)

    • The process creates files with name similar to system file names

      • xd-AntiSpy.exe (PID: 2728)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 2356)
      • DismHost.exe (PID: 6192)
      • DismHost.exe (PID: 652)

    • Detected use of alternative data streams (AltDS)

      • xd-AntiSpy.exe (PID: 2728)

    • Process drops legitimate windows executable

      • xd-AntiSpy.exe (PID: 2728)

    • Creates or modifies Windows services

      • xd-AntiSpy.exe (PID: 2728)

    • Starts CMD.EXE for commands execution

      • xd-AntiSpy.exe (PID: 2728)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6176)
      • cmd.exe (PID: 1004)
      • cmd.exe (PID: 6220)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 6780)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7024)

    • The process executes via Task Scheduler

      • explorer.exe (PID: 1160)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3188)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 6340)

    • Checks Windows Trust Settings

      • xd-AntiSpy.exe (PID: 2728)

    • Searches for installed software

      • TiWorker.exe (PID: 5316)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3848)

    • Checks supported languages

      • xd-AntiSpy.exe (PID: 2728)
      • DismHost.exe (PID: 2356)
      • DismHost.exe (PID: 652)
      • GameBar.exe (PID: 4024)
      • StartMenuExperienceHost.exe (PID: 6340)
      • SearchApp.exe (PID: 1048)
      • DismHost.exe (PID: 6192)
      • TextInputHost.exe (PID: 7072)

    • Reads the machine GUID from the registry

      • xd-AntiSpy.exe (PID: 2728)
      • SearchApp.exe (PID: 1048)

    • Manual execution by a user

      • xd-AntiSpy.exe (PID: 992)
      • xd-AntiSpy.exe (PID: 2728)

    • Reads the computer name

      • xd-AntiSpy.exe (PID: 2728)
      • DismHost.exe (PID: 2356)
      • DismHost.exe (PID: 6192)
      • DismHost.exe (PID: 652)
      • GameBar.exe (PID: 4024)
      • StartMenuExperienceHost.exe (PID: 6340)
      • TextInputHost.exe (PID: 7072)
      • SearchApp.exe (PID: 1048)

    • Reads the software policy settings

      • xd-AntiSpy.exe (PID: 2728)
      • SearchApp.exe (PID: 1048)
      • slui.exe (PID: 6868)

    • Reads Environment values

      • xd-AntiSpy.exe (PID: 2728)
      • DismHost.exe (PID: 6192)
      • DismHost.exe (PID: 2356)
      • DismHost.exe (PID: 652)
      • SearchApp.exe (PID: 1048)

    • Changes appearance of the Explorer extensions

      • reg.exe (PID: 7104)
      • reg.exe (PID: 4928)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 1160)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1160)

    • Create files in a temporary directory

      • xd-AntiSpy.exe (PID: 2728)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 6340)
      • SearchApp.exe (PID: 1048)

    • Creates files or folders in the user directory

      • StartMenuExperienceHost.exe (PID: 6340)

    • Checks proxy server information

      • explorer.exe (PID: 1160)
      • SearchApp.exe (PID: 1048)

    • Process checks Internet Explorer phishing filters

      • SearchApp.exe (PID: 1048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:03:08 09:09:56
ZipCRC: 0xb76210f4
ZipCompressedSize: 260876
ZipUncompressedSize: 711952
ZipFileName: Newtonsoft.Json.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
72
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe xd-antispy.exe no specs xd-antispy.exe dismhost.exe tiworker.exe no specs dismhost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs dismhost.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs explorer.exe gamebar.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs vssvc.exe no specs searchapp.exe slui.exe no specs mobsync.exe no specs srtasks.exe no specs conhost.exe no specs drvinst.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
528taskkill /f /im explorer.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
540"cmd.exe" /c reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightThemeC:\Windows\System32\cmd.exexd-AntiSpy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
544"cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUAC:\Windows\System32\cmd.exexd-AntiSpy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
652C:\Users\admin\AppData\Local\Temp\8508881E-10F5-473E-985C-D314A6264E43\dismhost.exe {463CF80F-02EE-4835-91BE-8C3FE779811F}C:\Users\admin\AppData\Local\Temp\8508881E-10F5-473E-985C-D314A6264E43\DismHost.exexd-AntiSpy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Host Servicing Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\8508881e-10f5-473e-985c-d314a6264e43\dismhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
992"C:\Users\admin\Desktop\xd-AntiSpy.exe" C:\Users\admin\Desktop\xd-AntiSpy.exeexplorer.exe
User:
admin
Company:
A Belim app creation 2024
Integrity Level:
MEDIUM
Description:
xd-AntiSpy
Exit code:
3221226540
Version:
4.0.4
Modules
Images
c:\users\admin\desktop\xd-antispy.exe
c:\windows\system32\ntdll.dll
1004"cmd.exe" /c "reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f"C:\Windows\System32\cmd.exexd-AntiSpy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1048"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\combase.dll
1116explorer.exe C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
2
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\twinapi.dll
1116DrvInst.exe "5" "2" "C:\WINDOWS\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\prnms001.inf" "0" "4b7f4e337" "00000000000001D4" "WinSta0\Default"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1160"C:\WINDOWS\explorer.exe" /NoUACCheckC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
Total events
68 553
Read events
68 051
Write events
469
Delete events
33

Modification events

(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\xd-AntiSpy.zip
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(3848) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
152
Suspicious files
57
Text files
134
Unknown types
3

Dropped files

PID
Process
Filename
Type
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.30416\plugins\File Extensions Visibility.jsonbinary
MD5:CA1243D201D273C2F2E5CABE09AD0B9F
SHA256:8C26DC45BFBA8FDC4940408A539E29261D79FC38A0C8A7FE7BD129F99E71ED31
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.30416\plugins\toolDebloater.jsonini
MD5:999F24BE962A180CD720D6B20E779D61
SHA256:062D12D99F51D8963DCFAB996A60FDF9491F1CA5C291927DEC752ACDFFC46698
2728xd-AntiSpy.exeC:\Users\admin\AppData\Local\Temp\D896B299-ADD9-433B-9DEA-D70B07CF64FD\AppxProvider.dllexecutable
MD5:396C483D62FEA5FA0FD442C8DC99D4EF
SHA256:36F2AF43F10FD76FEEF65BF574D79D3E27FD40DAF61249880511543C1F17AD91
2728xd-AntiSpy.exeC:\Users\admin\AppData\Local\Temp\D896B299-ADD9-433B-9DEA-D70B07CF64FD\AssocProvider.dllexecutable
MD5:B7DB592706D3EEFBCF0D5A166D462E56
SHA256:DE21321272862E7C332E1724DC315F06F3ABE7A0340E61D351CAB208D6BBF059
2728xd-AntiSpy.exeC:\Users\admin\AppData\Local\Temp\D896B299-ADD9-433B-9DEA-D70B07CF64FD\DismProv.dllexecutable
MD5:AB0DBC4F05B33EAAA447E31ACCAB8D21
SHA256:6A3C3F07BDDBC3079873F8799F2C19ADDDC59F15D6B2DBA6E9314E5626BFD2A0
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.30416\plugins\User Account Control.jsonbinary
MD5:D19364DC6D15AFFBC488D77B1D3F09F8
SHA256:10C63BBE2C149F8B4B2927ACD993716CD890118A6AF7953CD6A92ABDE2C8927F
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.30416\plugins\Restart Explorer.ps1text
MD5:2EBC3B277B6B0038B48F557507372A08
SHA256:CE31D19E4B3C0A707053DC081E109A465487F57B5180FB470BE9EF75F391095D
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.30416\plugins\Uninstall OneDrive.ps1text
MD5:D3228595FE69C9F115E84592C6A70E48
SHA256:945F7E685DB6FC568CC8EB114B4D54DD7D1D5FEB0879C84FE3F82ED786AE3B8D
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.30416\plugins\Clear Icon Cache.jsonbinary
MD5:7EDF4927266FEC3C73A721C85327FD88
SHA256:50DF56DA67DD6A764F1658A145EDBC37114AFDAE74B8683EA280ECFFB6F1A879
2728xd-AntiSpy.exeC:\WINDOWS\Logs\DISM\dism.logtext
MD5:2A4AEAD222F156BF488A89FF24B8C955
SHA256:45A3299482FAFEABB056B29006E840744FB08EF210FE59758B94E55DD8BADDB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
81
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
2476
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
2064
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2064
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5968
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4632
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
5220
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
unknown
5220
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2336
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3676
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
2064
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2064
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2064
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2064
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4656
SearchApp.exe
92.123.104.38:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.46
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.26
  • 92.123.104.23
  • 92.123.104.34
  • 92.123.104.40
  • 92.123.104.64
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.17
  • 92.123.104.13
  • 92.123.104.59
  • 92.123.104.60
  • 92.123.104.61
  • 92.123.104.65
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.2
  • 20.190.159.64
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
Process
Message
xd-AntiSpy.exe
PID=2728 TID=1324 DismApi.dll: API Version 6.2.19041.3758 - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 DismApi.dll: Parent process command line: "C:\Users\admin\Desktop\xd-AntiSpy.exe" - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 Enter DismInitializeInternal - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 DismApi.dll: - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 DismApi.dll: - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 Initialized GlobalConfig - DismInitializeInternal
xd-AntiSpy.exe
PID=2728 TID=1324 Initialized SessionTable - DismInitializeInternal
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xd-AntiSpy.zip