File name:

cl.bat

Full analysis: https://app.any.run/tasks/dfeb4268-2048-4441-8819-1198c08d051f
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 14:47:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
webdav
python
arch-doc
arch-exec
remote
xworm
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

27565139F1D558E1405EAB0549887AEE

SHA1:

B05ED2D0632DAC7B134DD8F21CB70EEA60753180

SHA256:

0D1323D50FF0496C7EE687D65050B02DE85E80B81938D7E1DF204ED7320EF7C2

SSDEEP:

96:icoHmN7bogBBUlF93aEUChnKWT9/4VsnqVcj+:iTmJjrKfdFK4J4MqT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7684)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 7812)

    • XWORM has been detected (SURICATA)

      • notepad.exe (PID: 7988)

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 7684)

    • Starts NET.EXE to map network drives

      • cmd.exe (PID: 7812)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7620)
      • cmd.exe (PID: 7812)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 7684)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 7684)

    • Remote file execution via WebDAV

      • net.exe (PID: 7916)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 7440)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 7440)

    • The process drops C-runtime libraries

      • svchost.exe (PID: 7440)
      • cmd.exe (PID: 7812)
      • powershell.exe (PID: 7532)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 7812)
      • powershell.exe (PID: 7532)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7532)

    • The executable file from the user directory is run by the CMD process

      • python.exe (PID: 7984)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7532)

    • Process drops python dynamic module

      • powershell.exe (PID: 7532)

    • Loads Python modules

      • python.exe (PID: 7984)

    • Connects to unusual port

      • notepad.exe (PID: 7988)

    • Contacting a server suspected of hosting an CnC

      • notepad.exe (PID: 7988)

    • Adds/modifies Windows certificates

      • rundll32.exe (PID: 1676)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 7908)

    • Checks proxy server information

      • net.exe (PID: 7916)
      • rundll32.exe (PID: 1676)

    • Manual execution by a user

      • msedge.exe (PID: 7504)
      • notepad.exe (PID: 7988)
      • notepad.exe (PID: 7424)
      • OpenWith.exe (PID: 3968)
      • OpenWith.exe (PID: 7376)
      • OpenWith.exe (PID: 3884)
      • OpenWith.exe (PID: 7732)
      • rundll32.exe (PID: 1676)
      • cmd.exe (PID: 7860)
      • notepad.exe (PID: 6392)
      • OpenWith.exe (PID: 1300)
      • OpenWith.exe (PID: 7812)
      • OpenWith.exe (PID: 1348)
      • OpenWith.exe (PID: 6244)
      • OpenWith.exe (PID: 5864)
      • OpenWith.exe (PID: 1568)
      • OpenWith.exe (PID: 236)
      • OpenWith.exe (PID: 4152)
      • OpenWith.exe (PID: 3096)
      • OpenWith.exe (PID: 7632)
      • OpenWith.exe (PID: 1180)
      • OpenWith.exe (PID: 8108)
      • OpenWith.exe (PID: 5400)
      • OpenWith.exe (PID: 5244)
      • OpenWith.exe (PID: 7868)
      • python.exe (PID: 6708)
      • OpenWith.exe (PID: 516)
      • pythonw.exe (PID: 7536)
      • OpenWith.exe (PID: 4944)
      • OpenWith.exe (PID: 5324)
      • WinRAR.exe (PID: 2344)
      • OpenWith.exe (PID: 6940)

    • Reads the software policy settings

      • net.exe (PID: 7916)
      • rundll32.exe (PID: 1676)

    • Reads security settings of Internet Explorer

      • net.exe (PID: 7916)
      • notepad.exe (PID: 7988)
      • notepad.exe (PID: 7424)
      • rundll32.exe (PID: 1676)
      • notepad.exe (PID: 6392)

    • The sample compiled with english language support

      • svchost.exe (PID: 7440)
      • cmd.exe (PID: 7812)
      • powershell.exe (PID: 7532)

    • Reads the computer name

      • identity_helper.exe (PID: 7700)

    • Checks supported languages

      • identity_helper.exe (PID: 7700)
      • python.exe (PID: 7984)

    • Reads Environment values

      • identity_helper.exe (PID: 7700)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7532)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7532)

    • Python executable

      • python.exe (PID: 7984)
      • python.exe (PID: 6708)
      • pythonw.exe (PID: 7536)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 3968)
      • OpenWith.exe (PID: 7376)
      • OpenWith.exe (PID: 3884)
      • OpenWith.exe (PID: 6940)
      • OpenWith.exe (PID: 1300)
      • OpenWith.exe (PID: 7632)
      • OpenWith.exe (PID: 7812)
      • OpenWith.exe (PID: 1568)
      • OpenWith.exe (PID: 6244)
      • OpenWith.exe (PID: 5864)
      • OpenWith.exe (PID: 236)
      • OpenWith.exe (PID: 1348)
      • OpenWith.exe (PID: 4944)
      • OpenWith.exe (PID: 4152)
      • OpenWith.exe (PID: 1180)
      • OpenWith.exe (PID: 8108)
      • OpenWith.exe (PID: 3096)
      • OpenWith.exe (PID: 7732)

    • Creates files or folders in the user directory

      • rundll32.exe (PID: 1676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
74
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe net.exe msedge.exe no specs svchost.exe msedge.exe no specs msedge.exe msedge.exe no specs svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe powershell.exe msedge.exe no specs python.exe no specs #XWORM notepad.exe net.exe no specs msedge.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs rundll32.exe cmd.exe no specs conhost.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs python.exe no specs conhost.exe no specs pythonw.exe no specs winrar.exe no specs msedge.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\__init__.pycC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
516"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\__init__.pycC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
924"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5732 --field-trial-handle=2420,i,2508519953878178625,10018611796738672274,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6944 --field-trial-handle=2420,i,2508519953878178625,10018611796738672274,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2420,i,2508519953878178625,10018611796738672274,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\__main__.pycC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1300"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\__init__.pycC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1348"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\eggs.pycC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1568"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\cElementTree.pycC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1676"C:\WINDOWS\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Users\admin\Desktop\python.catC:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
41 645
Read events
41 604
Write events
35
Delete events
6

Modification events

(PID) Process:(7812) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7812) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7812) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7908) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7908) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7908) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7908) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7908) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
82E43E24D8932F00
(PID) Process:(7908) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\590510
Operation:writeName:WindowTabManagerFileMappingId
Value:
{F8B7CFB4-6E2D-4D76-855B-11D3E2E839AC}
(PID) Process:(7908) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B7BF6024D8932F00
Executable files
36
Suspicious files
110
Text files
37
Unknown types
0

Dropped files

PID
Process
Filename
Type
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10d4f5.TMP
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10d4f5.TMP
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10d4f5.TMP
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10d4f5.TMP
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10d505.TMP
MD5:
SHA256:
7908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
109
DNS requests
51
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2800
svchost.exe
GET
206
23.50.131.85:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1747705148&P2=404&P3=2&P4=LJv7ML0a4Jra7YdRSGKZ6vB7Up993UTBfAXCCA5pXDrN4ROpPsebHqXMAJRSkesZ0%2fzSrz7Sk%2fbg3qpUM8usBA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7916
net.exe
104.16.231.132:443
digital-childrens-junior-cure.trycloudflare.com
CLOUDFLARENET
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7184
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.164
  • 23.48.23.193
  • 23.48.23.180
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.147
  • 23.48.23.141
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
digital-childrens-junior-cure.trycloudflare.com
  • 104.16.231.132
  • 104.16.230.132
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.128
  • 40.126.31.69
  • 40.126.31.0
  • 20.190.159.0
  • 20.190.159.129
  • 40.126.31.130
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
2196
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
7916
net.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
7916
net.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
7440
svchost.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
7440
svchost.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
7440
svchost.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
7440
svchost.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
7440
svchost.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cl.bat