File name:

3e56fe594475c8c630cb2e04a689b28ffc91644b431bd318b2ec1f032a739ae5

Full analysis: https://app.any.run/tasks/85e56787-035c-4518-a517-7a7273ddd189
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 05:29:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
snake
keylogger
evasion
stealer
ims-api
generic
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

848F9D25C3D7F2C81BC5F72A4D75F13E

SHA1:

81E3B9B6A1DFEC81B59816BFAF53253B737B5A6A

SHA256:

3E56FE594475C8C630CB2E04A689B28FFC91644B431BD318B2EC1F032A739AE5

SSDEEP:

24576:v3TBv6KNX2fnxeJtjR9k0bjFM+Ml2yINOr97iqMr33F47ZrImYO:v3TBv6KNX2fnxeJtjRq0bpM+Ml2yINO5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • neophobia.exe (PID: 6576)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 6540)
      • RegSvcs.exe (PID: 2092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • New Purchase Order.exe (PID: 2984)

    • Starts itself from another location

      • New Purchase Order.exe (PID: 2984)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6184)

    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3132)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RegSvcs.exe (PID: 6540)
      • RegSvcs.exe (PID: 2092)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3132)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3132)

  • INFO

    • Creates files or folders in the user directory

      • New Purchase Order.exe (PID: 2984)
      • neophobia.exe (PID: 6576)

    • Manual execution by a user

      • New Purchase Order.exe (PID: 2984)
      • wscript.exe (PID: 6184)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3132)
      • New Purchase Order.exe (PID: 2984)

    • Reads mouse settings

      • New Purchase Order.exe (PID: 2984)
      • neophobia.exe (PID: 6576)
      • neophobia.exe (PID: 3896)

    • Reads the machine GUID from the registry

      • New Purchase Order.exe (PID: 2984)
      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • Checks supported languages

      • New Purchase Order.exe (PID: 2984)
      • neophobia.exe (PID: 6576)
      • RegSvcs.exe (PID: 2092)
      • neophobia.exe (PID: 3896)
      • RegSvcs.exe (PID: 6540)
      • MpCmdRun.exe (PID: 4776)

    • Create files in a temporary directory

      • neophobia.exe (PID: 6576)
      • New Purchase Order.exe (PID: 2984)
      • neophobia.exe (PID: 3896)
      • MpCmdRun.exe (PID: 4776)

    • Autorun file from Startup directory

      • neophobia.exe (PID: 6576)

    • Reads the computer name

      • RegSvcs.exe (PID: 2092)
      • MpCmdRun.exe (PID: 4776)
      • RegSvcs.exe (PID: 6540)

    • Disables trace logs

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)

    • Checks proxy server information

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)
      • slui.exe (PID: 6620)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 2092)
      • RegSvcs.exe (PID: 6540)
      • slui.exe (PID: 6620)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(2092) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Telegram Chat ID5411784088
(PID) Process(6540) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Telegram Chat ID5411784088

ims-api

(PID) Process(2092) RegSvcs.exe
Telegram-Tokens (1)7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Telegram-Info-Links
7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Get info about bothttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/getMe
Get incoming updateshttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/getUpdates
Get webhookhttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:25 02:37:08
ZipCRC: 0x46b428fe
ZipCompressedSize: 573800
ZipUncompressedSize: 1000960
ZipFileName: New Purchase Order.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
12
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe new purchase order.exe neophobia.exe #SNAKE regsvcs.exe svchost.exe wscript.exe no specs neophobia.exe no specs #SNAKE regsvcs.exe slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2092"C:\Users\admin\Desktop\New Purchase Order.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
neophobia.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
SnakeKeylogger
(PID) Process(2092) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Telegram Chat ID5411784088
ims-api
(PID) Process(2092) RegSvcs.exe
Telegram-Tokens (1)7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Telegram-Info-Links
7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Get info about bothttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/getMe
Get incoming updateshttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/getUpdates
Get webhookhttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI/deleteWebhook?drop_pending_updates=true
2192\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2984"C:\Users\admin\Desktop\New Purchase Order.exe" C:\Users\admin\Desktop\New Purchase Order.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\new purchase order.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
3132"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\3e56fe594475c8c630cb2e04a689b28ffc91644b431bd318b2ec1f032a739ae5.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3896"C:\Users\admin\AppData\Local\porcelainization\neophobia.exe" C:\Users\admin\AppData\Local\porcelainization\neophobia.exewscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\porcelainization\neophobia.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
4776"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3132.47218"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
5200C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3132.47218\Rar$Scan110022.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6184"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6540"C:\Users\admin\AppData\Local\porcelainization\neophobia.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
neophobia.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
SnakeKeylogger
(PID) Process(6540) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7725623378:AAFyPRXLgMaz6RepcrwiG-KkR7jNMc-SEgI
Telegram Chat ID5411784088
Total events
13 640
Read events
13 616
Write events
24
Delete events
0

Modification events

(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\3e56fe594475c8c630cb2e04a689b28ffc91644b431bd318b2ec1f032a739ae5.zip
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3132) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(2092) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
2
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2984New Purchase Order.exeC:\Users\admin\AppData\Local\porcelainization\neophobia.exeexecutable
MD5:D6E27EBA7CE52A97269531309B3CE30C
SHA256:905CA82E14094EAF2E1D9F2349C53368F3CD2186A381E1B59280DFB7B1F12A39
2984New Purchase Order.exeC:\Users\admin\AppData\Local\Temp\cacostomiabinary
MD5:9237AF4AB527FF7AD4D91E76844FBF75
SHA256:859C706D3F35E9B67FD8DA6BB4DB748625DDBB4BA85B630F7B829B835A22D93E
6576neophobia.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbsbinary
MD5:4D13CDEAC65154A7C96CB558351991FA
SHA256:439DF17A5BC50C37B638A2322F90090FD3632C03A776CE5FB844C21E87C38D47
2984New Purchase Order.exeC:\Users\admin\AppData\Local\Temp\aut2CBA.tmpbinary
MD5:DD4004987233C232346C752707756438
SHA256:6C669756BE49FE20FE61F6E47DFF19BEC274D7CE2F77894A98479C1456A0D096
4776MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logbinary
MD5:4B7530E0B43617C63F0C4AD8070BCCA7
SHA256:B89C1F639003E7F5062F0A2EF399FFB26EB2B5A9AB0AA840A71A308B2FA2AB0C
3896neophobia.exeC:\Users\admin\AppData\Local\Temp\aut3E6D.tmpbinary
MD5:DD4004987233C232346C752707756438
SHA256:6C669756BE49FE20FE61F6E47DFF19BEC274D7CE2F77894A98479C1456A0D096
3132WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3132.47218\3e56fe594475c8c630cb2e04a689b28ffc91644b431bd318b2ec1f032a739ae5.zip\New Purchase Order.exeexecutable
MD5:D6E27EBA7CE52A97269531309B3CE30C
SHA256:905CA82E14094EAF2E1D9F2349C53368F3CD2186A381E1B59280DFB7B1F12A39
3132WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3132.47218\Rar$Scan110022.battext
MD5:7E47246047892B62303CE66651EAB4C3
SHA256:7CCA5D4983614FCFE2746353DB351E926691580423F62369A6495ACEEAD49763
6576neophobia.exeC:\Users\admin\AppData\Local\Temp\aut2FE7.tmpbinary
MD5:DD4004987233C232346C752707756438
SHA256:6C669756BE49FE20FE61F6E47DFF19BEC274D7CE2F77894A98479C1456A0D096
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
51
DNS requests
19
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1228
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2092
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
2092
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6620
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1228
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1228
SIHClient.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.131
  • 20.190.159.71
  • 40.126.31.2
  • 40.126.31.3
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.128
  • 20.190.159.131
  • 40.126.31.130
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 193.122.6.168
  • 132.226.247.73
  • 193.122.130.0
  • 158.101.44.242
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
2092
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2092
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2092
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
2092
RegSvcs.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
6540
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
6540
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
6540
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3e56fe594475c8c630cb2e04a689b28ffc91644b431bd318b2ec1f032a739ae5