URL:

https://github.com/RedNeck-inc/HWID-Spoofer/archive/refs/heads/main.zip

Full analysis: https://app.any.run/tasks/d782bf9f-1d44-4f21-8451-8e13f3d86f8a
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: March 26, 2023, 07:53:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
redline
Indicators:
MD5:

D7312DEC3C811180C05DE397D6C123FD

SHA1:

F83BA54067539315944A98D0C18A043538B1D603

SHA256:

2133EA759E456A60F00EB0D8F576F49D0275F7CE31EBD66679E4C7AD9DB91B8B

SSDEEP:

3:N8tEdgBiO2Vab4RSLNLc:2umBiO2Eb4ULN4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Spoofer.exe (PID: 2792)

    • REDLINE was detected

      • RegSvcs.exe (PID: 2672)

    • Connects to the CnC server

      • RegSvcs.exe (PID: 2672)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 2672)
      • cmd.exe (PID: 2444)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 2672)
      • cmd.exe (PID: 2444)

  • SUSPICIOUS

    • Connects to unusual port

      • RegSvcs.exe (PID: 2672)

    • Searches for installed software

      • RegSvcs.exe (PID: 2672)

    • Reads browser cookies

      • RegSvcs.exe (PID: 2672)

    • The process executes VB scripts

      • cmd.exe (PID: 3864)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 2444)

    • Reads the Internet Settings

      • cmd.exe (PID: 3864)
      • wscript.exe (PID: 2716)
      • WMIC.exe (PID: 2836)
      • WMIC.exe (PID: 2356)
      • WMIC.exe (PID: 3344)
      • WMIC.exe (PID: 2984)
      • WMIC.exe (PID: 2552)
      • WMIC.exe (PID: 3936)
      • WMIC.exe (PID: 2968)
      • WMIC.exe (PID: 884)
      • WMIC.exe (PID: 3708)
      • WMIC.exe (PID: 2832)
      • WMIC.exe (PID: 2036)
      • WMIC.exe (PID: 1936)
      • WMIC.exe (PID: 3780)
      • WMIC.exe (PID: 3952)
      • WMIC.exe (PID: 2652)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2716)
      • cmd.exe (PID: 2444)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2716)
      • cmd.exe (PID: 2444)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 2444)

    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 2444)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 2444)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2700)
      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 3704)
      • cmd.exe (PID: 3248)

    • Application launched itself

      • cmd.exe (PID: 2444)

    • Uses REG/REGEDIT.EXE to modify register

      • cmd.exe (PID: 2444)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2444)

  • INFO

    • Manual execution by a user

      • Spoofer.exe (PID: 2792)
      • cmd.exe (PID: 3864)
      • wmpnscfg.exe (PID: 1816)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3120)

    • Reads the computer name

      • RegSvcs.exe (PID: 2672)
      • wmpnscfg.exe (PID: 1816)

    • The process uses the downloaded file

      • iexplore.exe (PID: 2744)
      • WinRAR.exe (PID: 3120)

    • Create files in a temporary directory

      • iexplore.exe (PID: 2744)
      • cmd.exe (PID: 3864)

    • Application launched itself

      • iexplore.exe (PID: 2744)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 2672)
      • wmpnscfg.exe (PID: 1816)

    • The process checks LSA protection

      • RegSvcs.exe (PID: 2672)
      • cmd.exe (PID: 3864)
      • wmpnscfg.exe (PID: 1816)
      • WMIC.exe (PID: 2356)
      • WMIC.exe (PID: 3344)
      • WMIC.exe (PID: 2984)
      • WMIC.exe (PID: 3936)
      • WMIC.exe (PID: 2552)
      • WMIC.exe (PID: 2836)
      • WMIC.exe (PID: 3952)
      • WMIC.exe (PID: 2968)
      • WMIC.exe (PID: 3708)
      • WMIC.exe (PID: 2832)
      • WMIC.exe (PID: 884)
      • WMIC.exe (PID: 1936)
      • WMIC.exe (PID: 2036)
      • taskkill.exe (PID: 3624)
      • taskkill.exe (PID: 2908)
      • taskkill.exe (PID: 124)
      • taskkill.exe (PID: 3712)
      • taskkill.exe (PID: 4040)
      • taskkill.exe (PID: 3840)
      • taskkill.exe (PID: 2256)
      • taskkill.exe (PID: 3240)
      • WMIC.exe (PID: 3780)
      • WMIC.exe (PID: 2652)

    • Reads product name

      • RegSvcs.exe (PID: 2672)

    • Reads Environment values

      • RegSvcs.exe (PID: 2672)

    • Checks supported languages

      • RegSvcs.exe (PID: 2672)
      • Spoofer.exe (PID: 2792)
      • wmpnscfg.exe (PID: 1816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
119
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe spoofer.exe #REDLINE regsvcs.exe wmpnscfg.exe no specs cmd.exe no specs cacls.exe no specs wscript.exe no specs cmd.exe cacls.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs choice.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs choice.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124taskkill /f /im FortniteClient-Win64-Shipping.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
268ping -n 2 "" C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\ping.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
528REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d opensource-1260 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
568ping -n 2 "" C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
660ping -n 2 "" C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
660reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
884wmic memorychip get serialnumberC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
912findstr /b /c:":menu_" "C:\Users\admin\Desktop\HWID-S~1\SERIAL~1.CHA\Spoofer.bat"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
920ping -n 2 "" C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
980ping -n 2 "" C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
58 248
Read events
57 872
Write events
366
Delete events
10

Modification events

(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
26
Text files
88
Unknown types
18

Dropped files

PID
Process
Filename
Type
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565der
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_02835C6072261A584AE38D197B622594binary
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1Cbinary
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1Cder
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_02835C6072261A584AE38D197B622594der
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565binary
MD5:
SHA256:
1656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\HWID-Spoofer-main[1].zipcompressed
MD5:
SHA256:
2744iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:
SHA256:
2744iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5F2CB828E9C3828B.TMPgmc
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1656
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAzQqL7GMs%2FmReygqbCE%2Bxw%3D
US
der
313 b
whitelisted
2744
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
1656
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
US
der
471 b
whitelisted
1656
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAuJBTcSX0UQ1jcqECipKaU%3D
US
der
313 b
whitelisted
2744
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2744
iexplore.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
1656
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba497cdcaedf3194
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2744
iexplore.exe
95.100.53.90:443
go.microsoft.com
AKAMAI-AS
CH
suspicious
204.79.197.203:443
www.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
malicious
1656
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1656
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2744
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2744
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1656
iexplore.exe
140.82.121.9:443
codeload.github.com
GITHUB
US
suspicious
2744
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2672
RegSvcs.exe
37.220.87.13:48790
LLC Internet Tehnologii
UZ
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
codeload.github.com
  • 140.82.121.9
whitelisted
crl3.digicert.com
  • 192.229.221.95
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 95.100.53.90
whitelisted

Threats

PID
Process
Class
Message
2672
RegSvcs.exe
A Network Trojan was detected
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/RedNeck-inc/HWID-Spoofer/archive/refs/heads/main.zip