File name:

datastore@cyberfear.com_no gui.exe

Full analysis: https://app.any.run/tasks/91178843-159b-4ca8-8e22-5b9dd82206bc
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: September 04, 2024, 19:30:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
mimic
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CF50063A3105D27BA3063575BDF494D6

SHA1:

D466E9FB8302C07973E9835B252359FE63E0C999

SHA256:

1FA8B306A98B3AA8E3338E4F3E80C036FEB16B18163778CF9433115CBD8EA8E9

SSDEEP:

98304:ZDQPks2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8OiMGVFTeW6u1fabo:phsW6oy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • datastore@cyberfear.com_no gui.exe (PID: 188)

    • Known privilege escalation attack

      • dllhost.exe (PID: 4076)

    • Changes powershell execution policy (Bypass)

      • PIDAR.exe (PID: 2820)

    • Disables the Shutdown in the Start menu

      • PIDAR.exe (PID: 2820)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 5768)
      • powershell.exe (PID: 5388)

    • Disables Windows Defender

      • DC.exe (PID: 6120)
      • DC.exe (PID: 5732)
      • DC.exe (PID: 5172)

    • Changes image file execution options

      • PIDAR.exe (PID: 2820)

    • Creates or modifies Windows services

      • DC.exe (PID: 5732)

    • MIMIC has been detected (YARA)

      • PIDAR.exe (PID: 1124)
      • PIDAR.exe (PID: 3292)
      • PIDAR.exe (PID: 2820)
      • PIDAR.exe (PID: 5816)

    • XORed URL has been found (YARA)

      • PIDAR.exe (PID: 1124)
      • PIDAR.exe (PID: 3292)
      • PIDAR.exe (PID: 5816)
      • PIDAR.exe (PID: 2820)

    • Using BCDEDIT.EXE to modify recovery options

      • PIDAR.exe (PID: 2820)

    • Deletes shadow copies

      • PIDAR.exe (PID: 2820)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • datastore@cyberfear.com_no gui.exe (PID: 1616)
      • datastore@cyberfear.com_no gui.exe (PID: 188)

    • Reads security settings of Internet Explorer

      • datastore@cyberfear.com_no gui.exe (PID: 1616)

    • Executable content was dropped or overwritten

      • datastore@cyberfear.com_no gui.exe (PID: 1616)
      • 7za.exe (PID: 1920)
      • datastore@cyberfear.com_no gui.exe (PID: 188)
      • PIDAR.exe (PID: 2820)

    • Creates file in the systems drive root

      • PIDAR.exe (PID: 2820)

    • Starts CMD.EXE for commands execution

      • PIDAR.exe (PID: 2820)
      • datastore@cyberfear.com_no gui.exe (PID: 1616)

    • Application launched itself

      • PIDAR.exe (PID: 2820)
      • DC.exe (PID: 6120)
      • DC.exe (PID: 5172)

    • Creates or modifies Windows services

      • PIDAR.exe (PID: 2820)

    • The executable file from the user directory is run by the CMD process

      • DC.exe (PID: 6120)

    • Uses powercfg.exe to modify the power settings

      • PIDAR.exe (PID: 2820)

    • Starts POWERSHELL.EXE for commands execution

      • PIDAR.exe (PID: 2820)

    • Executing commands from ".cmd" file

      • datastore@cyberfear.com_no gui.exe (PID: 1616)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5840)
      • vds.exe (PID: 4292)
      • wbengine.exe (PID: 4296)

    • Process drops legitimate windows executable

      • PIDAR.exe (PID: 2820)

  • INFO

    • Checks supported languages

      • datastore@cyberfear.com_no gui.exe (PID: 1616)
      • 7za.exe (PID: 5184)
      • 7za.exe (PID: 1920)
      • datastore@cyberfear.com_no gui.exe (PID: 188)
      • PIDAR.exe (PID: 5816)
      • PIDAR.exe (PID: 2820)
      • Everything.exe (PID: 3672)
      • PIDAR.exe (PID: 3292)
      • PIDAR.exe (PID: 1124)
      • DC.exe (PID: 6120)
      • DC.exe (PID: 5172)
      • DC.exe (PID: 5732)
      • Everything.exe (PID: 4004)

    • Process checks computer location settings

      • datastore@cyberfear.com_no gui.exe (PID: 1616)

    • Reads the computer name

      • datastore@cyberfear.com_no gui.exe (PID: 1616)
      • 7za.exe (PID: 5184)
      • 7za.exe (PID: 1920)
      • datastore@cyberfear.com_no gui.exe (PID: 188)
      • PIDAR.exe (PID: 2820)
      • Everything.exe (PID: 3672)
      • PIDAR.exe (PID: 5816)
      • DC.exe (PID: 6120)
      • DC.exe (PID: 5172)
      • PIDAR.exe (PID: 1124)
      • PIDAR.exe (PID: 3292)
      • DC.exe (PID: 5732)
      • Everything.exe (PID: 4004)

    • Create files in a temporary directory

      • datastore@cyberfear.com_no gui.exe (PID: 1616)
      • 7za.exe (PID: 1920)
      • DC.exe (PID: 6120)

    • The process uses the downloaded file

      • datastore@cyberfear.com_no gui.exe (PID: 1616)
      • dllhost.exe (PID: 4076)

    • Creates files or folders in the user directory

      • datastore@cyberfear.com_no gui.exe (PID: 188)
      • PIDAR.exe (PID: 2820)
      • Everything.exe (PID: 3672)

    • Reads the machine GUID from the registry

      • datastore@cyberfear.com_no gui.exe (PID: 188)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 4076)

    • Reads mouse settings

      • DC.exe (PID: 6120)
      • DC.exe (PID: 5172)
      • DC.exe (PID: 5732)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 5768)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5388)

    • Sends debugging messages

      • wbadmin.exe (PID: 736)
      • wbadmin.exe (PID: 5044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
79
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start datastore@cyberfear.com_no gui.exe 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs datastore@cyberfear.com_no gui.exe CMSTPLUA #XOR-URL pidar.exe everything.exe no specs cmd.exe no specs #XOR-URL pidar.exe no specs #XOR-URL pidar.exe no specs #XOR-URL pidar.exe no specs conhost.exe no specs dc.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs systray.exe no specs systray.exe no specs dc.exe dc.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs cmd.exe no specs conhost.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs conhost.exe no specs conhost.exe no specs wbadmin.exe wbadmin.exe conhost.exe no specs conhost.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
188"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\datastore@cyberfear.com_no gui.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\datastore@cyberfear.com_no gui.exe
datastore@cyberfear.com_no gui.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\datastore@cyberfear.com_no gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736wbadmin.exe delete catalog -quietC:\Windows\System32\wbadmin.exe
PIDAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1124"C:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul1C:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
PIDAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\1d4f026e-db59-647a-72d2-3763f22a75a1\pidar.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1292powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0C:\Windows\System32\powercfg.exePIDAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1356C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1356bcdedit.exe /set {default} recoveryenabled noC:\Windows\System32\bcdedit.exePIDAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
1616"C:\Users\admin\AppData\Local\Temp\datastore@cyberfear.com_no gui.exe" C:\Users\admin\AppData\Local\Temp\datastore@cyberfear.com_no gui.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\datastore@cyberfear.com_no gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
21 290
Read events
21 145
Write events
125
Delete events
20

Modification events

(PID) Process:(188) datastore@cyberfear.com_no gui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:PIDAR
Value:
"C:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"
(PID) Process:(4076) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS
Operation:writeName:Start
Value:
4
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SDRSVC
Operation:writeName:Start
Value:
4
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine
Operation:writeName:Start
Value:
4
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(2820) PIDAR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
Executable files
24
Suspicious files
177
Text files
45
Unknown types
7

Dropped files

PID
Process
Filename
Type
1616datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
1616datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
19207za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\DC.exeexecutable
MD5:AC34BA84A5054CD701EFAD5DD14645C9
SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
19207za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.initext
MD5:742C2400F2DE964D0CCE4A8DABADD708
SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01
188datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.initext
MD5:742C2400F2DE964D0CCE4A8DABADD708
SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01
19207za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\xdel.exeexecutable
MD5:803DF907D936E08FBBD06020C411BE93
SHA256:E8EAA39E2ADFD49AB69D7BB8504CCB82A902C8B48FBC256472F36F41775E594C
188datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
188datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\DC.exeexecutable
MD5:AC34BA84A5054CD701EFAD5DD14645C9
SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
188datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
1616datastore@cyberfear.com_no gui.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dllcompressed
MD5:B8DEE63DF27FBEFC900BA69A8392D7A0
SHA256:B9F64F96B17D05A523D65518549581E83B1F5B22D72BB91ADE0E18CF5E2CDE29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
46
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1436
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5380
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5380
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4760
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6412
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2256
svchost.exe
224.0.0.252:5355
whitelisted
2256
svchost.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 52.137.106.217
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.22
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
datastore@cyberfear.com_no gui.exe