File name:

3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7

Full analysis: https://app.any.run/tasks/5a1d3cdb-8328-4ecd-94ff-7f82da54789d
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 12, 2025, 18:30:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5D7BED642E12888F7A15BF4AF6165157

SHA1:

7CA3C649EE0469F70D5C0260330CCFB8638C9644

SHA256:

3348AD210AC86877E023953519CBA103A690D82FF9568B7D70A89CE8E19F8DE7

SSDEEP:

49152:4Qf3BVy7x88988NtgwTx3z9EkR1SVSg5pfi0XW5aGZKrcfXfp/zTALozLvtsIEv1:4Qf3S4KBxR1SVSg5p5aZKrMqx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST mutex has been found

      • look2.exe (PID: 7564)
      • svchcst.exe (PID: 7652)
      • svchcst.exe (PID: 8064)
      • svchcst.exe (PID: 7888)
      • svchcst.exe (PID: 7308)
      • svchcst.exe (PID: 7276)
      • svchcst.exe (PID: 5344)
      • svchcst.exe (PID: 1676)
      • svchcst.exe (PID: 7600)

  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • look2.exe (PID: 7564)

    • Creates or modifies Windows services

      • look2.exe (PID: 7564)

    • Executable content was dropped or overwritten

      • look2.exe (PID: 7564)
      • 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe (PID: 7540)

    • Connects to unusual port

      • svchcst.exe (PID: 7652)
      • svchcst.exe (PID: 8064)
      • svchcst.exe (PID: 7888)
      • svchcst.exe (PID: 1676)
      • svchcst.exe (PID: 5344)
      • svchcst.exe (PID: 7308)
      • svchcst.exe (PID: 7276)
      • svchcst.exe (PID: 7600)

    • There is functionality for taking screenshot (YARA)

      • 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe (PID: 7540)

    • Executes application which crashes

      • svchcst.exe (PID: 7652)
      • svchcst.exe (PID: 7888)
      • svchcst.exe (PID: 1676)
      • svchcst.exe (PID: 7308)
      • svchcst.exe (PID: 7276)
      • svchcst.exe (PID: 8064)
      • svchcst.exe (PID: 5344)
      • svchcst.exe (PID: 7600)

  • INFO

    • Checks supported languages

      • 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe (PID: 7540)
      • look2.exe (PID: 7564)

    • Create files in a temporary directory

      • 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe (PID: 7540)

    • The sample compiled with chinese language support

      • 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe (PID: 7540)

    • Reads the computer name

      • look2.exe (PID: 7564)

    • Reads security settings of Internet Explorer

      • svchcst.exe (PID: 7652)
      • svchcst.exe (PID: 7888)
      • svchcst.exe (PID: 8064)
      • svchcst.exe (PID: 7308)
      • svchcst.exe (PID: 5344)
      • svchcst.exe (PID: 7276)
      • svchcst.exe (PID: 7600)
      • svchcst.exe (PID: 1676)

    • Reads the software policy settings

      • svchcst.exe (PID: 7652)
      • svchcst.exe (PID: 7888)
      • svchcst.exe (PID: 1676)
      • svchcst.exe (PID: 7308)
      • svchcst.exe (PID: 7276)
      • svchcst.exe (PID: 8064)
      • svchcst.exe (PID: 5344)
      • svchcst.exe (PID: 7600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:17 03:22:40+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 520192
InitializedDataSize: 1253376
UninitializedDataSize: -
EntryPoint: 0x60d55
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.9.0.9
ProductVersionNumber: 2.9.0.9
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 2.9.0.9
FileDescription: 应用程序
ProductName: PopWndL0g
ProductVersion: 2.9.0.9
CompanyName: RuntimeBroker
LegalCopyright: RuntimeBroker
Comments: PopWndL0g
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe look2.exe svchcst.exe werfault.exe no specs svchcst.exe werfault.exe no specs svchcst.exe werfault.exe no specs svchcst.exe werfault.exe no specs svchcst.exe werfault.exe no specs svchcst.exe no specs werfault.exe no specs svchcst.exe werfault.exe no specs svchcst.exe werfault.exe no specs slui.exe no specs 3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1676C:\WINDOWS\system32\svchcst.exe "c:\windows\system32\1097625.bat",MainThreadC:\Windows\SysWOW64\svchcst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
255
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5344C:\WINDOWS\system32\svchcst.exe "c:\windows\system32\1097625.bat",MainThreadC:\Windows\SysWOW64\svchcst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
255
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7152C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5344 -s 1328C:\Windows\SysWOW64\WerFault.exesvchcst.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7232C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1676 -s 1328C:\Windows\SysWOW64\WerFault.exesvchcst.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7276C:\WINDOWS\system32\svchcst.exe "c:\windows\system32\1097625.bat",MainThreadC:\Windows\SysWOW64\svchcst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
255
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7308C:\WINDOWS\system32\svchcst.exe "c:\windows\system32\1097625.bat",MainThreadC:\Windows\SysWOW64\svchcst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
255
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7400C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7308 -s 1312C:\Windows\SysWOW64\WerFault.exesvchcst.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7436"C:\Users\admin\Desktop\3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe" C:\Users\admin\Desktop\3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exeexplorer.exe
User:
admin
Company:
RuntimeBroker
Integrity Level:
MEDIUM
Description:
应用程序
Exit code:
3221226540
Version:
2.9.0.9
Modules
Images
c:\users\admin\desktop\3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7512C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7276 -s 1328C:\Windows\SysWOW64\WerFault.exesvchcst.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7540"C:\Users\admin\Desktop\3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe" C:\Users\admin\Desktop\3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe
explorer.exe
User:
admin
Company:
RuntimeBroker
Integrity Level:
HIGH
Description:
应用程序
Exit code:
0
Version:
2.9.0.9
Modules
Images
c:\users\admin\desktop\3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
39 449
Read events
39 379
Write events
46
Delete events
24

Modification events

(PID) Process:(7564) look2.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst
Operation:writeName:Description
Value:
¹ÜÀí»ùÓÚ×é¼þ¶ÔÏóÄ£Ð͵ĺËÐÄ·þÎñ,Èç¹û·þÎñ±»½ûÓ㬼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐС£
(PID) Process:(7564) look2.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters
Operation:writeName:ServiceDll
Value:
C:\WINDOWS\system32\1097625.bat
(PID) Process:(7564) look2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:writeName:svchcst
Value:
svchcst
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile\svchcst.exe|5d020bac932c45f2
Operation:writeName:ProgramId
Value:
0006e09c701521111759bd9b5099571c033d00000904
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile\svchcst.exe|5d020bac932c45f2
Operation:writeName:FileId
Value:
00006f317948fd881fc9ad25292f6d2c021ee9a82a85
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile\svchcst.exe|5d020bac932c45f2
Operation:writeName:LowerCaseLongPath
Value:
c:\windows\syswow64\svchcst.exe
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile\svchcst.exe|5d020bac932c45f2
Operation:writeName:LongPathHash
Value:
svchcst.exe|5d020bac932c45f2
(PID) Process:(7776) WerFault.exeKey:\REGISTRY\A\{5c99c260-8830-0e5a-4154-576644fb5816}\Root\InventoryApplicationFile\svchcst.exe|5d020bac932c45f2
Operation:writeName:Name
Value:
svchcst.exe
Executable files
3
Suspicious files
16
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7776WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchcst.exe_d41e1e28a92ead31b9e1d7846b6cfe7f5dd1e_19de00a8_24121aa7-b305-4f3f-a3f1-ad40a4b66ae0\Report.wer
MD5:
SHA256:
7976WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchcst.exe_d41e1e28a92ead31b9e1d7846b6cfe7f5dd1e_19de00a8_89cca7ee-cfac-4c2e-97de-ac3c9fd97814\Report.wer
MD5:
SHA256:
8188WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchcst.exe_d41e1e28a92ead31b9e1d7846b6cfe7f5dd1e_19de00a8_77b8fa41-b42c-483d-acfa-5e9ffd77dbc3\Report.wer
MD5:
SHA256:
75403348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7.exeC:\Users\admin\AppData\Local\Temp\look2.exeexecutable
MD5:2F3B6F16E33E28AD75F3FDAEF2567807
SHA256:86492EBF2D6F471A5EE92977318D099B3EA86175B5B7AE522237AE01D07A4857
7888svchcst.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getip[1].htmhtml
MD5:72FA0FCA20C82853E6DBBC1F13C78100
SHA256:4555DE589FF9B307E20C708D6F112BC47BB377DF29FF0A5914F8FB0932926887
8188WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER16D1.tmp.dmpbinary
MD5:5EFDCA6AAFED86C74DE74C6A561EB0C5
SHA256:28F5551BB704FB1957E3BA654968D5546F8AD8981EA0290BAB277871FDC84334
8064svchcst.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getip[1].htmhtml
MD5:72FA0FCA20C82853E6DBBC1F13C78100
SHA256:4555DE589FF9B307E20C708D6F112BC47BB377DF29FF0A5914F8FB0932926887
7976WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF0FB.tmp.xmlxml
MD5:6AB2C0A07E1ED81CD1C9031FA1778AED
SHA256:6A6BB9A58CE44ACD5961EAC840B5647F06C21BC9B6A822ED159E0605E5D124E7
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchcst.exe_d41e1e28a92ead31b9e1d7846b6cfe7f5dd1e_19de00a8_310f915e-68e5-443b-b1d1-cf01deb1c477\Report.wer
MD5:
SHA256:
7976WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREF92.tmp.dmpbinary
MD5:0D9414C16C7539BB27F8B5F9C789E245
SHA256:BE11CBED3F0390E94790F63A6E106668C96B5426CA2B05346B04C93886DFF2F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
103
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7652
svchcst.exe
GET
301
163.181.92.223:80
http://www.taobao.com/help/getip.php
unknown
whitelisted
7888
svchcst.exe
GET
301
163.181.92.223:80
http://www.taobao.com/help/getip.php
unknown
whitelisted
8064
svchcst.exe
GET
301
163.181.92.223:80
http://www.taobao.com/help/getip.php
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
2152
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2152
SIHClient.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2152
SIHClient.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5344
svchcst.exe
GET
301
163.181.92.223:80
http://www.taobao.com/help/getip.php
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7652
svchcst.exe
47.238.96.72:442
kinh.xmcxmr.com
US
unknown
7652
svchcst.exe
163.181.92.223:80
www.taobao.com
Zhejiang Taobao Network Co.,Ltd
DE
whitelisted
7652
svchcst.exe
163.181.92.223:443
www.taobao.com
Zhejiang Taobao Network Co.,Ltd
DE
whitelisted
7888
svchcst.exe
47.238.96.72:442
kinh.xmcxmr.com
US
unknown
7888
svchcst.exe
163.181.92.223:80
www.taobao.com
Zhejiang Taobao Network Co.,Ltd
DE
whitelisted
7888
svchcst.exe
163.181.92.223:443
www.taobao.com
Zhejiang Taobao Network Co.,Ltd
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
kinh.xmcxmr.com
  • 47.238.96.72
unknown
www.taobao.com
  • 163.181.92.223
  • 163.181.92.222
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.71
  • 40.126.31.129
  • 20.190.159.75
  • 40.126.31.130
  • 20.190.159.73
  • 40.126.31.67
  • 40.126.31.3
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.216.77.26
  • 23.216.77.13
  • 23.216.77.22
  • 23.216.77.21
  • 23.216.77.18
  • 23.216.77.25
  • 23.216.77.31
  • 23.216.77.7
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3348ad210ac86877e023953519cba103a690d82ff9568b7d70a89ce8e19f8de7