File name:

Windows Servers Runtime.exe

Full analysis: https://app.any.run/tasks/01e73c40-00a6-4013-99ca-1f2d65a2389c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 31, 2023, 21:50:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BD3421CDFEA65D7037533121A4B82AEA

SHA1:

48EC93C8B6DAB852B55C50AD3A2D4E5ECF3F0773

SHA256:

0E5C298EEA81721D30202057A8F1B6EEE18A1BFBB102248F1E862A96128097B9

SSDEEP:

6144:99fakdYevcnXk43yjXPKfVjuJuI4442r6cRJKTgnRo:95akJvcXQQW4442r6cuv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1680)
      • cmd.exe (PID: 2188)

    • Adds path to the Windows Defender exclusion list

      • Windows Servers Runtime.exe (PID: 5556)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 2692)

    • Actions looks like stealing of personal data

      • Windows Servers Runtime.exe (PID: 5556)
      • Windows Servers Runtime.exe (PID: 4676)
      • FileCoAuth.exe (PID: 7032)

    • Renames files like ransomware

      • Windows Servers Runtime.exe (PID: 5556)

    • Starts CMD.EXE for self-deleting

      • Windows Servers Runtime.exe (PID: 5556)
      • xSecs.exe (PID: 6608)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Windows Servers Runtime.exe (PID: 4676)
      • Windows Servers Runtime.exe (PID: 5556)
      • FileCoAuth.exe (PID: 7032)

    • Starts CMD.EXE for commands execution

      • Windows Servers Runtime.exe (PID: 5556)
      • xSecs.exe (PID: 6608)

    • Starts application from unusual location

      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 7128)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 5812)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 4780)
      • cmd.exe (PID: 2692)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 5812)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 4780)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 2692)

    • Found strings related to reading or modifying Windows Defender settings

      • Windows Servers Runtime.exe (PID: 5556)

    • Creates files like ransomware instruction

      • Windows Servers Runtime.exe (PID: 5556)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 4076)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 2692)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Windows Servers Runtime.exe (PID: 5556)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5996)
      • cmd.exe (PID: 5716)

  • INFO

    • Drops the executable file immediately after the start

      • Windows Servers Runtime.exe (PID: 4676)
      • Windows Servers Runtime.exe (PID: 5556)
      • FileCoAuth.exe (PID: 7032)

    • Reads the computer name

      • Windows Servers Runtime.exe (PID: 5556)
      • Windows Servers Runtime.exe (PID: 4676)
      • StartMenuExperienceHost.exe (PID: 6732)
      • FileCoAuth.exe (PID: 6168)

    • Checks supported languages

      • Windows Servers Runtime.exe (PID: 5556)
      • Windows Servers Runtime.exe (PID: 4676)
      • StartMenuExperienceHost.exe (PID: 6732)
      • xSecs.exe (PID: 6608)
      • FileCoAuth.exe (PID: 6168)

    • Create files in a temporary directory

      • Windows Servers Runtime.exe (PID: 4676)
      • Windows Servers Runtime.exe (PID: 5556)
      • FileCoAuth.exe (PID: 6168)

    • Creates files or folders in the user directory

      • Windows Servers Runtime.exe (PID: 5556)
      • StartMenuExperienceHost.exe (PID: 6732)
      • FileCoAuth.exe (PID: 6168)

    • Creates files in the program directory

      • Windows Servers Runtime.exe (PID: 5556)

    • Manual execution by a user

      • notepad.exe (PID: 6508)

    • Process checks computer location settings

      • Windows Servers Runtime.exe (PID: 5556)
      • StartMenuExperienceHost.exe (PID: 6732)
      • FileCoAuth.exe (PID: 7032)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 7032)

    • Reads Microsoft Office registry keys

      • FileCoAuth.exe (PID: 6168)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 6168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
62
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start windows servers runtime.exe windows servers runtime.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs notepad.exe no specs startmenuexperiencehost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs xsecs.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs filecoauth.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540SCHTASKS.exe /Delete /TN "Windows Update BETA" /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
720powershell -inputformat none -outputformat none -NonInteractive -Command Get-Service WinDefend C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%s" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWindows Servers Runtime.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676"C:\Windows\System32\cmd.exe" /c FOR / F "delims=" %I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%I")C:\Windows\SysWOW64\cmd.exeWindows Servers Runtime.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1676"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%s" C:\Windows\SysWOW64\cmd.exeWindows Servers Runtime.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1680"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\admin\AppData\Local\Temp\3582-490\Windows Servers Runtime.exe" /FC:\Windows\SysWOW64\cmd.exeWindows Servers Runtime.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
40 559
Read events
40 452
Write events
77
Delete events
30

Modification events

(PID) Process:(4676) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4676) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4676) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4676) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5556) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5556) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5556) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5556) Windows Servers Runtime.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2104) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2104) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
20
Suspicious files
1 527
Text files
1 903
Unknown types
0

Dropped files

PID
Process
Filename
Type
5556Windows Servers Runtime.exeC:\ProgramData\Adobe\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
4676Windows Servers Runtime.exeC:\Users\admin\AppData\Local\Temp\3582-490\Windows Servers Runtime.exeexecutable
MD5:26031E3493D51873B6CE93F3FDCBA2FB
SHA256:7A9DFB845FB27462BE48548EED06F96A8BD75936A27E77E017BC9AD617455989
5556Windows Servers Runtime.exeC:\ProgramData\Oracle\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\ProgramData\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\Users\admin\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\ProgramData\Oracle\Java\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\Users\admin\3D Objects\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\Users\admin\Contacts\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
5556Windows Servers Runtime.exeC:\ProgramData\Adobe\Temp\Xray_Help.txttext
MD5:F72F51D273FC1601553B9FDAA7AAB07C
SHA256:D0C54D4D7786D1F2D5B82668E9E310C3683472983D20599D8EDD9A6E234101D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
14
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6468
SIHClient.exe
GET
304
20.114.59.183:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
6468
SIHClient.exe
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
6468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6468
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
6468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
binary
401 b
unknown
6468
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
binary
555 b
unknown
6468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
binary
813 b
unknown
6468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
binary
813 b
unknown
6468
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
binary
400 b
unknown
6468
SIHClient.exe
GET
200
40.68.123.157:443
https://slscr.update.microsoft.com/sls/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
4
System
192.168.100.255:137
whitelisted
2644
OfficeClickToRun.exe
52.182.141.63:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6468
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6468
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
6468
SIHClient.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
6468
SIHClient.exe
20.3.187.198:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2908
svchost.exe
2.18.161.41:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
6468
SIHClient.exe
40.68.123.157:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
x1.c.lencr.org
  • 2.18.161.41
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows Servers Runtime.exe