File name:

PAYMENT_REF_NO_2025_1936.bat

Full analysis: https://app.any.run/tasks/763f8f79-de30-403e-a87c-94ec7b8e7b22
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: June 19, 2025, 12:40:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
remcos
rat
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

E1A5A1127B6BB3C8F183C7F00AD53792

SHA1:

0812631465501467F285F4AF283AF8658C10B7AB

SHA256:

27F05FB84D4E4264E8A95DE5289998CE1641204B17098F84F4CC20C37AAB00A5

SSDEEP:

49152:HZqcY3FUSAT892GNYRW5m7Sksldqx2WCTLhRWwU5EN4E3GNfvsNrjXKAUIVs/kPU:JYQNGeCq5hGuwcEN4gHNrQy7PlHeYk8s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS mutex has been found

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 2368)
      • remcos.exe (PID: 6292)

    • Uses Task Scheduler to run other applications

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)

    • REMCOS has been detected

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 2368)
      • remcos.exe (PID: 2368)

    • Changes the autorun value in the registry

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 2368)

    • REMCOS has been detected (YARA)

      • remcos.exe (PID: 2368)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)

    • Starts itself from another location

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)

    • Application launched itself

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)

    • Executable content was dropped or overwritten

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)

    • Connects to unusual port

      • remcos.exe (PID: 2368)

    • There is functionality for taking screenshot (YARA)

      • remcos.exe (PID: 2368)

  • INFO

    • Creates files in the program directory

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 2368)

    • Create files in a temporary directory

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)

    • Creates files or folders in the user directory

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)

    • Checks supported languages

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 3960)
      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • remcos.exe (PID: 2368)
      • remcos.exe (PID: 3672)
      • remcos.exe (PID: 6292)

    • .NET Reactor protector has been detected

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • remcos.exe (PID: 3672)
      • remcos.exe (PID: 3960)

    • Reads the computer name

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)
      • remcos.exe (PID: 2368)

    • Process checks computer location settings

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)

    • Reads the machine GUID from the registry

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3780)
      • remcos.exe (PID: 3960)
      • remcos.exe (PID: 3672)

    • Launching a file from a Registry key

      • PAYMENT_REF_NO_2025_1936.bat.exe (PID: 3836)
      • remcos.exe (PID: 2368)

    • Manual execution by a user

      • remcos.exe (PID: 3672)

    • Checks proxy server information

      • slui.exe (PID: 1720)

    • Reads the software policy settings

      • slui.exe (PID: 1720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(2368) remcos.exe
C2 (1)196.251.83.192:2404
BotnetRemoteHost_Perez
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileTrue
Mutex_nameRmc-H76D7L
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:19 00:55:09+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1270784
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0x1381fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Dynamic weather forecasting with adaptive UI that responds to current conditions. Integrates multiple weather APIs with intelligent data fusion algorithms.
CompanyName: CloudSense Dynamics
FileDescription: StormCast
FileVersion: 0.0.0.0
InternalName: ytgC.exe
LegalCopyright: © CloudSense Dynamics - Meteorological Software Division
OriginalFileName: ytgC.exe
ProductName: StormCast - Adaptive Weather Intelligence
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
15
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start payment_ref_no_2025_1936.bat.exe schtasks.exe no specs conhost.exe no specs #REMCOS payment_ref_no_2025_1936.bat.exe remcos.exe no specs remcos.exe no specs slui.exe schtasks.exe no specs conhost.exe no specs remcos.exe no specs #REMCOS remcos.exe schtasks.exe no specs conhost.exe no specs remcos.exe no specs #REMCOS remcos.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1720C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2368"C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe
remcos.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Version:
0.0.0.0
Modules
Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(2368) remcos.exe
C2 (1)196.251.83.192:2404
BotnetRemoteHost_Perez
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileTrue
Mutex_nameRmc-H76D7L
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
3392"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\glmUSrweonE" /XML "C:\Users\admin\AppData\Local\Temp\tmp3563.tmp"C:\Windows\SysWOW64\schtasks.exeremcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3672"C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exeexplorer.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
3780"C:\Users\admin\Desktop\PAYMENT_REF_NO_2025_1936.bat.exe" C:\Users\admin\Desktop\PAYMENT_REF_NO_2025_1936.bat.exe
explorer.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\payment_ref_no_2025_1936.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3836"C:\Users\admin\Desktop\PAYMENT_REF_NO_2025_1936.bat.exe"C:\Users\admin\Desktop\PAYMENT_REF_NO_2025_1936.bat.exe
PAYMENT_REF_NO_2025_1936.bat.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\payment_ref_no_2025_1936.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3960"C:\ProgramData\Remcos\remcos.exe" C:\ProgramData\Remcos\remcos.exePAYMENT_REF_NO_2025_1936.bat.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4680"C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exeremcos.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Exit code:
4294967295
Version:
0.0.0.0
Modules
Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5168"C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exeremcos.exe
User:
admin
Company:
CloudSense Dynamics
Integrity Level:
MEDIUM
Description:
StormCast
Exit code:
4294967295
Version:
0.0.0.0
Modules
Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 997
Read events
5 988
Write events
9
Delete events
0

Modification events

(PID) Process:(3836) PAYMENT_REF_NO_2025_1936.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rmc-H76D7L
Value:
"C:\ProgramData\Remcos\remcos.exe"
(PID) Process:(3836) PAYMENT_REF_NO_2025_1936.bat.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rmc-H76D7L
Value:
"C:\ProgramData\Remcos\remcos.exe"
(PID) Process:(3836) PAYMENT_REF_NO_2025_1936.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2368) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rmc-H76D7L
Value:
"C:\ProgramData\Remcos\remcos.exe"
(PID) Process:(2368) remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Rmc-H76D7L
Value:
"C:\ProgramData\Remcos\remcos.exe"
(PID) Process:(2368) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-H76D7L
Operation:writeName:exepath
Value:
2FFDFAC43A2D3EB9915AA4491E0F0B2EBD037E6DC4BF150675075884F5125A2DB3962AE0BB6E43AE74B9B13AF89840E5FD7962283CDC05CE7EC1193BD01607F3674F
(PID) Process:(2368) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-H76D7L
Operation:writeName:licence
Value:
444473B9B2F540CAA9A859C01F05745D
(PID) Process:(2368) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-H76D7L
Operation:writeName:time
Value:
(PID) Process:(2368) remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-H76D7L
Operation:writeName:UID
Value:
Executable files
2
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3780PAYMENT_REF_NO_2025_1936.bat.exeC:\Users\admin\AppData\Local\Temp\tmpD05F.tmpxml
MD5:1A681E6C987D1DA69DF5BAEB33754C23
SHA256:48C8924F6F535AF870C8321966CF397FBE206B311B1EB6EDA1927C58B138EB08
3780PAYMENT_REF_NO_2025_1936.bat.exeC:\Users\admin\AppData\Roaming\glmUSrweonE.exeexecutable
MD5:E1A5A1127B6BB3C8F183C7F00AD53792
SHA256:27F05FB84D4E4264E8A95DE5289998CE1641204B17098F84F4CC20C37AAB00A5
3960remcos.exeC:\Users\admin\AppData\Local\Temp\tmp3563.tmpxml
MD5:1A681E6C987D1DA69DF5BAEB33754C23
SHA256:48C8924F6F535AF870C8321966CF397FBE206B311B1EB6EDA1927C58B138EB08
3672remcos.exeC:\Users\admin\AppData\Local\Temp\tmp5743.tmpxml
MD5:1A681E6C987D1DA69DF5BAEB33754C23
SHA256:48C8924F6F535AF870C8321966CF397FBE206B311B1EB6EDA1927C58B138EB08
2368remcos.exeC:\ProgramData\Remcos\logs.datbinary
MD5:A356FD90798989D4CE422E68CD5B116C
SHA256:49C7FC06A609B7F5BD6B6D72CD85D5704F49C79518CB30AD5F971818CF26BE4A
3836PAYMENT_REF_NO_2025_1936.bat.exeC:\ProgramData\Remcos\remcos.exeexecutable
MD5:E1A5A1127B6BB3C8F183C7F00AD53792
SHA256:27F05FB84D4E4264E8A95DE5289998CE1641204B17098F84F4CC20C37AAB00A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
50
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7052
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7052
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7052
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7052
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 23.219.150.101
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.131
  • 20.190.159.23
  • 40.126.31.73
  • 40.126.31.3
  • 20.190.159.73
  • 40.126.31.67
  • 40.126.31.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PAYMENT_REF_NO_2025_1936.bat