File name:

Potato.exe

Full analysis: https://app.any.run/tasks/2206d438-a1c9-4613-a50a-89e64a78e5de
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 02, 2025, 18:02:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
wsftprm-sys
vuln-driver
xor-url
generic
valleyrat
winos
rat
silverfox
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

5430D46368E76910CA050081FC67FEF3

SHA1:

86B1BB0C0B80CEFD64CE179B608B260970141867

SHA256:

1AF445EE63E35F2778F2C4ABC41075315079A04E8E62F8E183411D36C9B6B396

SSDEEP:

786432:Tfh/idrTID/xhAo2hD/qQggGQEuytxcaQw10RbnIxX:TZ/iiD/xhAXi9XuKKaQqgnIN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • FritizenES.exe (PID: 8084)

    • UAC/LUA settings modification

      • UniClient.exe (PID: 6676)

    • XORed URL has been found (YARA)

      • FritizenES.exe (PID: 8084)

    • Changes Windows Defender settings

      • FritizenES.exe (PID: 8084)

    • Adds path to the Windows Defender exclusion list

      • FritizenES.exe (PID: 8084)

    • VALLEYRAT has been detected (YARA)

      • UniClient.exe (PID: 7296)
      • UniClient.exe (PID: 6676)

    • WINOS has been detected (YARA)

      • UniClient.exe (PID: 6676)
      • UniClient.exe (PID: 7296)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Potato.exe (PID: 7440)
      • Potato.exe (PID: 7660)
      • FritizenES.exe (PID: 8084)
      • Potato.tmp (PID: 7684)

    • Reads security settings of Internet Explorer

      • Potato.tmp (PID: 7460)
      • ShellExperienceHost.exe (PID: 4164)

    • The process drops C-runtime libraries

      • FritizenES.exe (PID: 8084)

    • Process drops legitimate windows executable

      • FritizenES.exe (PID: 8084)

    • Detected use of alternative data streams (AltDS)

      • FritizenES.exe (PID: 8084)

    • Application launched itself

      • UniClient.exe (PID: 6676)

    • Starts POWERSHELL.EXE for commands execution

      • FritizenES.exe (PID: 8084)

    • Script adds exclusion path to Windows Defender

      • FritizenES.exe (PID: 8084)

    • There is functionality for taking screenshot (YARA)

      • FritizenES.exe (PID: 8084)
      • UniClient.exe (PID: 6676)
      • UniClient.exe (PID: 7296)

    • Executes as Windows Service

      • UniClient.exe (PID: 6676)

    • Connects to unusual port

      • UniClient.exe (PID: 7296)

    • Reads the Windows owner or organization settings

      • Potato.tmp (PID: 7684)

  • INFO

    • Checks supported languages

      • Potato.exe (PID: 7440)
      • Potato.exe (PID: 7660)
      • Potato.tmp (PID: 7684)
      • Potato.tmp (PID: 7460)
      • FritizenES.exe (PID: 8084)
      • UniClient.exe (PID: 6676)
      • UniClient.exe (PID: 7296)
      • ShellExperienceHost.exe (PID: 4164)

    • Reads the computer name

      • Potato.exe (PID: 7660)
      • Potato.tmp (PID: 7460)
      • Potato.tmp (PID: 7684)
      • FritizenES.exe (PID: 8084)
      • UniClient.exe (PID: 6676)
      • ShellExperienceHost.exe (PID: 4164)
      • UniClient.exe (PID: 7296)

    • Create files in a temporary directory

      • Potato.exe (PID: 7440)
      • Potato.exe (PID: 7660)
      • Potato.tmp (PID: 7684)
      • FritizenES.exe (PID: 8084)

    • Process checks computer location settings

      • Potato.tmp (PID: 7460)

    • Detects InnoSetup installer (YARA)

      • Potato.tmp (PID: 7460)
      • Potato.exe (PID: 7440)

    • The sample compiled with english language support

      • FritizenES.exe (PID: 8084)
      • Potato.tmp (PID: 7684)

    • Creates files in the program directory

      • FritizenES.exe (PID: 8084)

    • Compiled with Borland Delphi (YARA)

      • Potato.tmp (PID: 7460)
      • Potato.exe (PID: 7440)

    • The sample compiled with chinese language support

      • FritizenES.exe (PID: 8084)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5360)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5360)

    • Checks proxy server information

      • slui.exe (PID: 6228)

    • Reads the software policy settings

      • slui.exe (PID: 6228)

    • Creates files or folders in the user directory

      • Potato.tmp (PID: 7684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(8084) FritizenES.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: zhgj23hjk5gkjg4k6jgkjh2346gjkhasfsfasfasfawgawfawgawgdwqrasf
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: zhgj23hjk5gkjg4k6jgkjh2346gjkhasfsfasfasfawgawfawgawgdwqrasf
ProductVersion: 55.1.252.162
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
11
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start potato.exe potato.tmp no specs potato.exe potato.tmp #XOR-URL fritizenes.exe #WINOS uniclient.exe no specs #WINOS uniclient.exe powershell.exe no specs conhost.exe no specs shellexperiencehost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4164"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
5260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5360powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\ProgramData\I0I0qaaT""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFritizenES.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6228C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6676C:\ProgramData\I0I0qaaT\UniClient.exeC:\ProgramData\I0I0qaaT\UniClient.exe
services.exe
User:
SYSTEM
Company:
上海市数字证书认证中心有限公司
Integrity Level:
SYSTEM
Description:
协卡助手
Version:
3.6.9.2
Modules
Images
c:\programdata\i0i0qaat\uniclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7296"C:\ProgramData\I0I0qaaT\UniClient.exe"C:\ProgramData\I0I0qaaT\UniClient.exe
UniClient.exe
User:
SYSTEM
Company:
上海市数字证书认证中心有限公司
Integrity Level:
SYSTEM
Description:
协卡助手
Version:
3.6.9.2
Modules
Images
c:\programdata\i0i0qaat\uniclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7440"C:\Users\admin\AppData\Local\Temp\Potato.exe" C:\Users\admin\AppData\Local\Temp\Potato.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
zhgj23hjk5gkjg4k6jgkjh2346gjkhasfsfasfasfawgawfawgawgdwqrasf
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\potato.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7460"C:\Users\admin\AppData\Local\Temp\is-U07PE.tmp\Potato.tmp" /SL5="$D0162,73542963,845824,C:\Users\admin\AppData\Local\Temp\Potato.exe" C:\Users\admin\AppData\Local\Temp\is-U07PE.tmp\Potato.tmpPotato.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-u07pe.tmp\potato.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
7660"C:\Users\admin\AppData\Local\Temp\Potato.exe" /SPAWNWND=$A02DC /NOTIFYWND=$D0162 C:\Users\admin\AppData\Local\Temp\Potato.exe
Potato.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
zhgj23hjk5gkjg4k6jgkjh2346gjkhasfsfasfasfawgawfawgawgdwqrasf
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\potato.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7684"C:\Users\admin\AppData\Local\Temp\is-TLRHV.tmp\Potato.tmp" /SL5="$5030E,73542963,845824,C:\Users\admin\AppData\Local\Temp\Potato.exe" /SPAWNWND=$A02DC /NOTIFYWND=$D0162 C:\Users\admin\AppData\Local\Temp\is-TLRHV.tmp\Potato.tmp
Potato.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-tlrhv.tmp\potato.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
8 040
Read events
8 034
Write events
6
Delete events
0

Modification events

(PID) Process:(8084) FritizenES.exeKey:HKEY_CURRENT_USER\SOFTWARE\CitizenFX\RedM
Operation:writeName:Last Run Location
Value:
C:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\
(PID) Process:(6676) UniClient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6676) UniClient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6676) UniClient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(4164) ShellExperienceHost.exeKey:\REGISTRY\A\{c99b2c47-a49d-9c74-af5d-8d13c81136cd}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000016E935928CBBDB01
Executable files
26
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\is-O1N1B.tmp
MD5:
SHA256:
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\Repository.xml
MD5:
SHA256:
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\is-VAGAK.tmp
MD5:
SHA256:
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\Potato_安装包.exe
MD5:
SHA256:
8084FritizenES.exeC:\ProgramData\I0I0qaaT\DuiLib.dll
MD5:
SHA256:
7660Potato.exeC:\Users\admin\AppData\Local\Temp\is-TLRHV.tmp\Potato.tmpexecutable
MD5:ABFC018FB65B8E93097A8690611DDE51
SHA256:414AAABCF872A539C085AEBD2AE7D3B5A78FC03F60C3E35732F9093E7A41AC50
7684Potato.tmpC:\Users\admin\AppData\Local\Temp\is-2EGB5.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\README.mdbinary
MD5:FD04624A265B8769CE4DA6291999E341
SHA256:BE0900D72D6597B1D233959A5956D452A8235ABF2FA3DA21A8B3B740ADD6932D
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\FritizenES.exeexecutable
MD5:2B5EACE4A573E8347A39A1B304233994
SHA256:4B9D1A571FBADB05E2631C38C250F913862B7B5AD1D29A1CF095E0F81CAE810F
7684Potato.tmpC:\Users\admin\AppData\Roaming\hjg6342jkgj234hg6hjkgjk23h4hjk7623hjk7hjk27k4ghj2fawfaawgawgsasgasgawfawfawfawfawfawgag\is-BMG81.tmpbinary
MD5:FD04624A265B8769CE4DA6291999E341
SHA256:BE0900D72D6597B1D233959A5956D452A8235ABF2FA3DA21A8B3B740ADD6932D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
62
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
CZ
binary
419 b
whitelisted
8016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
CZ
binary
407 b
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
868 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.9.218
whitelisted
login.live.com
  • 20.190.159.128
  • 20.190.159.23
  • 20.190.159.73
  • 40.126.31.3
  • 40.126.31.67
  • 40.126.31.0
  • 40.126.31.71
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Potato.exe