File name:

_1dbec1c38bdc8c5087f0df7d4c0794a78f6079a741420c127d529907767f2ab9.fpx

Full analysis: https://app.any.run/tasks/59359c54-9eee-4a3c-8c89-034d28a75ec2
Verdict: Malicious activity
Analysis date: January 01, 2026, 17:13:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
advancedinstaller
upx
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D7B6C7D6-2A20-4551-AC6C-34D01B45815D}, Number of Words: 10, Subject: zhcn1, Author: zhcn1, Name of Creating Application: zhcn1, Template: ;1033, Comments: Uc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Dec 31 07:52:32 2025, Last Saved Time/Date: Wed Dec 31 07:52:32 2025, Last Printed: Wed Dec 31 07:52:32 2025, Number of Pages: 450
MD5:

1272E1625AE43CED8F9379C7266A37E7

SHA1:

C0BF356D237D614C4A59336295D9EE8F1355527D

SHA256:

1DBEC1C38BDC8C5087F0DF7D4C0794A78F6079A741420C127D529907767F2AB9

SSDEEP:

98304:e9IVozx4Cb+BgR7h6Q8R4urfGCR9jVYk3yg20cWgHve04DlOX1cO4S0/BR:vU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 7924)

    • VALLEYRAT has been detected (YARA)

      • rundll32.exe (PID: 7952)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 8044)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 7748)

    • Likely accesses (executes) a file from the Public directory

      • MSI1AC3.tmp (PID: 7268)
      • cmd.exe (PID: 6056)
      • Win1.exe (PID: 800)
      • win.exe (PID: 2232)
      • Shell.exe (PID: 7984)
      • Jh.exe (PID: 7056)

    • Reads security settings of Internet Explorer

      • MSI1AC3.tmp (PID: 7268)

    • Starts CMD.EXE for commands execution

      • MSI1AC3.tmp (PID: 7268)

    • Executable content was dropped or overwritten

      • Win1.exe (PID: 800)
      • WmiPrvSE.exe (PID: 1148)

    • The process creates files with name similar to system file names

      • Win1.exe (PID: 800)

    • Starts a Microsoft application from unusual location

      • Jh.exe (PID: 7056)

    • Connects to unusual port

      • dllhost.exe (PID: 7472)
      • calc.exe (PID: 7452)
      • rundll32.exe (PID: 7952)

  • INFO

    • Manages system restore points

      • SrTasks.exe (PID: 5592)

    • Checks supported languages

      • msiexec.exe (PID: 7296)
      • msiexec.exe (PID: 7908)
      • MSI1AC3.tmp (PID: 7268)
      • Win1.exe (PID: 800)
      • win.exe (PID: 2232)
      • Shell.exe (PID: 7984)
      • Jh.exe (PID: 7056)

    • An automatically generated document

      • msiexec.exe (PID: 7748)

    • Reads the computer name

      • msiexec.exe (PID: 7908)
      • msiexec.exe (PID: 7296)
      • MSI1AC3.tmp (PID: 7268)
      • Win1.exe (PID: 800)
      • Jh.exe (PID: 7056)

    • Reads Environment values

      • msiexec.exe (PID: 7296)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7908)
      • Win1.exe (PID: 800)
      • WmiPrvSE.exe (PID: 1148)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 7908)

    • Process checks computer location settings

      • MSI1AC3.tmp (PID: 7268)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7908)

    • AutoHotkey executable

      • cmd.exe (PID: 6056)
      • dllhost.exe (PID: 7924)
      • WmiPrvSE.exe (PID: 8032)

    • Checks transactions between databases Windows and Oracle

      • WmiPrvSE.exe (PID: 5612)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 7924)

    • UPX packer has been detected

      • WmiPrvSE.exe (PID: 8032)
      • WmiPrvSE.exe (PID: 1148)

    • Checks proxy server information

      • slui.exe (PID: 7332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ValleyRat

(PID) Process(7952) rundll32.exe
C2 (2)127.0.0.1
179.61.182.85
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {D7B6C7D6-2A20-4551-AC6C-34D01B45815D}
Words: 10
Subject: zhcn1
Author: zhcn1
LastModifiedBy: -
Software: zhcn1
Template: ;1033
Comments: Uc.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2025:12:31 07:52:32
ModifyDate: 2025:12:31 07:52:32
LastPrinted: 2025:12:31 07:52:32
Pages: 450
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
22
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msi1ac3.tmp no specs cmd.exe no specs conhost.exe no specs win1.exe wmiprvse.exe no specs CMSTPLUA win.exe no specs wmiprvse.exe no specs shell.exe no specs wmiprvse.exe jh.exe no specs conhost.exe no specs #VALLEYRAT rundll32.exe calc.exe dllhost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
800C:\Users\Public\Us\Win1.exe C:\Users\Public\Us\Win1.exe
cmd.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
MEDIUM
Description:
AutoHotkey 64-bit
Exit code:
0
Version:
2.0.19
Modules
Images
c:\users\public\us\win1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1148"C:\Windows\System32\wbem\WmiPrvSE.exe"C:\Windows\System32\wbem\WmiPrvSE.exe
Shell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Provider Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\combase.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ucrtbase.dll
2232"C:\Users\Public\Us\Win.exe" C:\Users\Public\Us\win.exedllhost.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
HIGH
Description:
AutoHotkey 64-bit
Exit code:
0
Version:
2.0.19
Modules
Images
c:\users\public\us\win.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4636\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5592C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5612"C:\Windows\System32\wbem\WmiPrvSE.exe"C:\Windows\System32\wbem\WmiPrvSE.exeWin1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Provider Host
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wbemcomn.dll
6056"C:\Windows\System32\cmd.exe" /C start C:\Users\Public\Us\Win1.exeC:\Windows\SysWOW64\cmd.exeMSI1AC3.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7056C:\Users\Public\Us\JH.exe /create /sc onlogon /tn Vip /rl highest /tr C:\Users\Public\Us\Win.exe /FC:\Users\Public\Us\Jh.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\us\jh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7268"C:\WINDOWS\Installer\MSI1AC3.tmp" /DontWait /HideWindow cmd /C start C:\Users\Public\Us\Win1.exeC:\Windows\Installer\MSI1AC3.tmpmsiexec.exe
User:
admin
Company:
Caphyon LTD
Integrity Level:
MEDIUM
Description:
File that launches another file
Exit code:
0
Version:
22.4.0.0
Modules
Images
c:\windows\installer\msi1ac3.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\ucrtbase.dll
7296C:\Windows\syswow64\MsiExec.exe -Embedding 91531E61E27045E4556E72030AD94435C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
8 695
Read events
8 537
Write events
149
Delete events
9

Modification events

(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000007460C706427BDC01E41E00004C1F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000F4C2C906427BDC01E41E00004C1F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000FD0D1607427BDC01E41E00004C1F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000086701807427BDC01E41E00004C1F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000086701807427BDC01E41E00004C1F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000009ED21A07427BDC01E41E00004C1F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000002483007427BDC01E41E00004C1F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7908) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000610D3507427BDC01E41E0000D41F0000E80300000100000000000000000000004801C6DABC156B40B7D3070018D3B25100000000000000000000000000000000
(PID) Process:(8044) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C35A4307427BDC016C1F000030130000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8044) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C35A4307427BDC016C1F00008C1F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
11
Suspicious files
18
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7908msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7908msiexec.exeC:\Windows\Temp\~DFDEC61E877CDAA34D.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
7908msiexec.exeC:\Windows\Installer\101714.msiexecutable
MD5:1272E1625AE43CED8F9379C7266A37E7
SHA256:1DBEC1C38BDC8C5087F0DF7D4C0794A78F6079A741420C127D529907767F2AB9
7908msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{dac60148-15bc-406b-b7d3-070018d3b251}_OnDiskSnapshotPropbinary
MD5:522A2673FDDD76148A559D6040C90434
SHA256:8937E81D66F83141C387444590FDE874B3B67D23E1F40D4F36EE775CC3810E09
7908msiexec.exeC:\Windows\Installer\MSI183E.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
7908msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:522A2673FDDD76148A559D6040C90434
SHA256:8937E81D66F83141C387444590FDE874B3B67D23E1F40D4F36EE775CC3810E09
7908msiexec.exeC:\Windows\Temp\~DFF6EECE7D3C218FC3.TMPbinary
MD5:F06257F8A75DB31EAF4E3A4FDD5C217D
SHA256:A1398B30D03EB8592AD211E07226DB251DAE124427740CC23C0667222FD80874
7908msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:F06257F8A75DB31EAF4E3A4FDD5C217D
SHA256:A1398B30D03EB8592AD211E07226DB251DAE124427740CC23C0667222FD80874
7908msiexec.exeC:\Windows\Installer\MSI18CC.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
7908msiexec.exeC:\Windows\Installer\MSI19C8.tmpbinary
MD5:11924B16F5C73D506290A3F90F186801
SHA256:FA0D2006E45C26FC6A76388AD0BA418995F4A6CB34F63E69A21B6B1B7AA8399C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
60
DNS requests
100
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4704
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4704
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/FlightSettings/FSService?ProcessorClockSpeed=3094&IsRetailOS=1&OEMManufacturerName=DELL&FlightingPolicyValue=3&EnablePreviewBuilds=4294967295&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&ManagePreviewBuilds=3&BranchReadinessLevelSource=0&AttrDataVer=186&ProcessorCores=6&BranchReadinessLevelRaw=16&TotalPhysicalRAM=6144&TPMVersion=0&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&DeviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&App=FSS&AppVer=10.0&SmartActiveHoursState=1&ActiveHoursStart=20&SecureBootCapable=0&ActiveHoursEnd=13&DeviceFamily=Windows.Desktop
US
text
87.3 Kb
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6712
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.48 Kb
whitelisted
4256
svchost.exe
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
4256
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4704
svchost.exe
2.16.164.72:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2.16.164.72:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4704
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.14
  • 20.190.160.5
  • 40.126.32.133
  • 20.190.160.130
  • 20.190.160.22
  • 40.126.32.140
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.52.181.141
whitelisted
yzgy.cc
unknown
yzgy2.cc
unknown

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
INFO [ANY.RUN] .cc TLD domain request
1148
WmiPrvSE.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
1148
WmiPrvSE.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
1148
WmiPrvSE.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_1dbec1c38bdc8c5087f0df7d4c0794a78f6079a741420c127d529907767f2ab9.fpx