File name:

311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c

Full analysis: https://app.any.run/tasks/0210e219-2fa5-4d8d-b585-4f22e50f9db1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 06:48:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

8F12A2285EA053CEE823ECE411012D40

SHA1:

ED1AF09DEB4D630748C980AEA143D1995713779C

SHA256:

311BFAC5F55C7532169142CDADF075E3EDB22AF37152BA57F1C6F053FE82147C

SSDEEP:

98304:yqY5BMpGWYDDyEDr3dzyY4Cxa3wFhxJNwdS+3LVf6jZZaiY3O65Er/PPuIoxptP7:Q0mYRgbff

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • 8433.tmp (PID: 6940)

    • Changes image file execution options

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)

    • Reads the date of Windows installation

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)

    • Application launched itself

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)

    • Executable content was dropped or overwritten

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)
      • 8433.tmp (PID: 6940)

    • The process verifies whether the antivirus software is installed

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)
      • 7za.dll (PID: 2192)

    • Drops 7-zip archiver for unpacking

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)

    • Starts application with an unusual extension

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)

    • Creates file in the systems drive root

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)

    • Starts CMD.EXE for commands execution

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 1480)

    • The process creates files with name similar to system file names

      • 8433.tmp (PID: 6940)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 8433.tmp (PID: 6940)

  • INFO

    • The sample compiled with chinese language support

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)

    • Checks supported languages

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)
      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)
      • 7za.dll (PID: 2192)
      • 8433.tmp (PID: 6940)

    • Process checks computer location settings

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)

    • Reads the computer name

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 3756)
      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)
      • 7za.dll (PID: 2192)

    • Create files in a temporary directory

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)
      • 8433.tmp (PID: 6940)

    • The sample compiled with english language support

      • 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe (PID: 2460)
      • 8433.tmp (PID: 6940)

    • Creates files in the program directory

      • 7za.dll (PID: 2192)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4520)
      • WMIC.exe (PID: 4920)

    • Creates files or folders in the user directory

      • 8433.tmp (PID: 6940)

    • Checks proxy server information

      • slui.exe (PID: 3388)

    • Reads the software policy settings

      • slui.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (53.3)
.exe | UPX compressed Win32 Executable (33.5)
.exe | Win32 Executable (generic) (5.5)
.exe | Win16/32 Executable Delphi generic (2.5)
.exe | Generic Win/DOS Executable (2.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:29 02:41:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 397312
InitializedDataSize: 7888896
UninitializedDataSize: 8904704
EntryPoint: 0x8de800
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.2503.29
ProductVersionNumber: 2.0.2503.29
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
CompanyName: -
FileDescription: -
FileVersion: 2.0.2503.29
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 2.0.0.0
Comments: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe no specs 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe 7za.dll no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs 8433.tmp explorer.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1480C:\WINDOWS\system32\cmd.exe /C WMIC BIOS get ManufacturerC:\Windows\SysWOW64\cmd.exe311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192"C:\Users\admin\AppData\Local\Temp\7za.dll" x "C:\Users\admin\AppData\Local\Temp\360Safe.dll" -o"C:\Program Files (x86)\360" -r -yC:\Users\admin\AppData\Local\Temp\7za.dll311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7za.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2460"C:\Users\admin\Desktop\311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe" C:\Users\admin\Desktop\311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe
311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
2.0.2503.29
Modules
Images
c:\users\admin\desktop\311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3388C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3756"C:\Users\admin\Desktop\311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe" C:\Users\admin\Desktop\311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.0.2503.29
Modules
Images
c:\users\admin\desktop\311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4520WMIC BIOS get ManufacturerC:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.dll
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4920WMIC BIOS get ManufacturerC:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5560C:\WINDOWS\system32\explorer.exeC:\Windows\SysWOW64\explorer.exe8433.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
6320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 286
Read events
5 265
Write events
15
Delete events
6

Modification events

(PID) Process:(3756) 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3756) 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3756) 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3756) 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6940) 8433.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Operation:writeName:Order
Value:
0800000002000000DC03000001000000090000006C000000030000005E003600000000006D58EA1320007E76A65E1C64227D2E00550052004C0000003E0008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000007E76A65E1C64227D2E00550052004C0000002000000000000000700000000000000062003600000000006D58EA13200027597D76DC83985B517F2E00550052004C000000400008000400EFBE00000000000000002A0000000000000000000000000000000000000000000000000027597D76DC83985B517F2E00550052004C00000022000000000000006C000000020000005E003600000000006D58EA132000AC4E1C4E2D8D69722E00550052004C0000003E0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000AC4E1C4E2D8D69722E00550052004C00000020000000000000006C000000040000005E003600000000006D58EA1320007B8F7E679E526C512E00750072006C0000003E0008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000007B8F7E679E526C512E00750072006C00000020000000000000006C000000060000005E003600000000006D58EA132000ED70B970B065FB952E00550052004C0000003E0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000ED70B970B065FB952E00550052004C00000020000000000000006C000000010000005E003600000000006D58EA132000D86D9D5B2D8D69722E00550052004C0000003E0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000D86D9D5B2D8D69722E00550052004C00000020000000000000006C000000050000005E003600000000006D58EA132000517F4057FC5B2A822E00550052004C0000003E0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000517F4057FC5B2A822E00550052004C00000020000000000000006C000000080000005E003600000000006D58EA132000715FF397315A504E2E00750072006C0000003E0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000715FF397315A504E2E00750072006C00000020000000000000006C000000070000005E003600000000006D58EA132000386E0F62315A504E2E00750072006C0000003E0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000386E0F62315A504E2E00750072006C0000002000000000000000
(PID) Process:(6940) 8433.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MINIE
Operation:writeName:LinksBandEnabled
Value:
1
(PID) Process:(6940) 8433.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MINIE
Operation:writeName:LinksBandEnabled
Value:
1
(PID) Process:(6940) 8433.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Operation:writeName:Attributes
Value:
0
(PID) Process:(6940) 8433.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\QQBrowser\Aio
Operation:writeName:Show
Value:
0
(PID) Process:(2460) 311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe
Operation:writeName:Debugger
Value:
-
Executable files
5
Suspicious files
53
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
69408433.tmpC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\default\places.sqlite
MD5:
SHA256:
69408433.tmpC:\Users\admin\AppData\Roaming\360se6\User Data\Default\360Bookmarkstext
MD5:28A92115619BE50352F18D547D77A4BD
SHA256:80BC0AF0703DBCCCCE03F4EA5326288D6B274C706B82AD3AF0E824B934200836
21927za.dllC:\Program Files (x86)\360\360safe\360ss2.datbinary
MD5:919BC714E8ED36E1011E6B1E420DB789
SHA256:7E369B7D3C36547B5E7D081CACCEE3E500234CFB25E54E92193D2D41C78F7819
2460311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeC:\Users\admin\AppData\Local\Temp\7za.dllexecutable
MD5:E3C061FA0450056E30285FD44A74CD2A
SHA256:E0E2C7D0F740FE2A4E8658CE54DFB6EB3C47C37FE90A44A839E560C685F1F1FA
69408433.tmpC:\Users\admin\AppData\Roaming\360se6\User Data\Default\Top Sitesbinary
MD5:0504A7DE80654325D465B770C93ADB40
SHA256:F793E9FFE19F82E80F5C99B41B1571C41C508A546DB224724014E25C93FE23BF
21927za.dllC:\Program Files (x86)\360\360sd\sl2.dbtext
MD5:4B2A95ED8D02473DAFB30D81B11C943E
SHA256:47E390B3B44B68ACDBB53C583B4AFF5FA48F04929C04E4F43801415C26C35D3B
21927za.dllC:\Program Files (x86)\360\360safe\deepscan\speedmem2.hgbinary
MD5:B6AA73806B033165A99A62B51BF92845
SHA256:46BD60D87F0008B869E1C0FF8B830364EB19C64EC85B4ABE95D240911D692A01
21927za.dllC:\Program Files (x86)\360\360safe\SoftMgr\somextrainfo.initext
MD5:7426B008426C1A6082F14B33B9F9F777
SHA256:38B36444D636C3007C248BF47D660B78DBFEBB3914A614E27EA7D62AFCFDEC5F
69408433.tmpC:\Users\admin\AppData\Roaming\360se6\User Data\Default\Secure Preferencesbinary
MD5:09AB8D2ACDDF4B77D4461CA43B21A0FA
SHA256:FC74EF1BA08E8DA74DABD3C3973F3B1891E256F422B771449EE8E711B206E50F
2460311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c.exeC:\Users\admin\AppData\Local\Temp\8433.tmpexecutable
MD5:CF066FEE2387C7896CFBB8B9787D615A
SHA256:F9D97E11A70320519842DCC774600F705315F5F3B1B6ECD9F5F65F4219D34198
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
43
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
2368
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
10.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2368
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4168
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
2368
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.67
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
  • 184.24.77.37
  • 184.24.77.35
  • 184.24.77.6
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
311bfac5f55c7532169142cdadf075e3edb22af37152ba57f1c6f053fe82147c