File name:

46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf

Full analysis: https://app.any.run/tasks/4542ab67-4e89-4867-8d7d-2ef35b826260
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 11, 2025, 19:47:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
rat
sainbox
vmprotect
rdp
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

1692C83E2458AC66B48699FBC64162C4

SHA1:

75CE56D6B9932C22358FF0D3E91EAA2835B3D252

SHA256:

46F691B1CC209E31EB9FB5875C45C41DA72687B1C454C61F2D4526DAECA143BF

SSDEEP:

49152:ZaKoXA2V5VqZMBys8KZB6j/uDGspoHc+bi3vt2NCjE2NWgwvnfKKoTCZ+gKyEYVn:ZaKr2VHqZMR8KZB6j/vHc+bilgWEqWgg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7764)

    • GH0ST mutex has been found

      • AK74.exe (PID: 7976)
      • Ghiya.exe (PID: 8040)
      • Ghiya.exe (PID: 8068)
      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Starts CMD.EXE for self-deleting

      • AK74.exe (PID: 7976)

    • GH0ST has been detected

      • AK74.exe (PID: 7976)

    • SAINBOX has been detected

      • Ghiya.exe (PID: 8068)

    • Changes the autorun value in the registry

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Create files in the Startup directory

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7372)
      • wscript.exe (PID: 7380)

  • SUSPICIOUS

    • Mutex name with non-standard characters

      • AK47.exe (PID: 7932)
      • AK47.exe (PID: 7940)
      • Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe (PID: 1228)

    • Executable content was dropped or overwritten

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)
      • AK47.exe (PID: 7932)
      • AK74.exe (PID: 7976)
      • Ghiya.exe (PID: 8068)

    • Creates or modifies Windows services

      • AK47.exe (PID: 7932)
      • Ghiya.exe (PID: 8068)

    • Reads security settings of Internet Explorer

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Starts CMD.EXE for commands execution

      • AK74.exe (PID: 7976)

    • Hides command output

      • cmd.exe (PID: 8060)

    • Application launched itself

      • Ghiya.exe (PID: 8040)

    • Creates files in the driver directory

      • Ghiya.exe (PID: 8068)

    • Executes as Windows Service

      • Ghiya.exe (PID: 8040)

    • The process executes VB scripts

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 7380)
      • wscript.exe (PID: 7372)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 7372)
      • wscript.exe (PID: 7380)

    • Connects to unusual port

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • There is functionality for taking screenshot (YARA)

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)
      • Ghiya.exe (PID: 8068)

    • There is functionality for enable RDP (YARA)

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Drops a system driver (possible attempt to evade defenses)

      • Ghiya.exe (PID: 8068)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 8060)

  • INFO

    • The sample compiled with chinese language support

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Checks supported languages

      • AK47.exe (PID: 7940)
      • AK47.exe (PID: 7932)
      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)
      • AK74.exe (PID: 7976)
      • Ghiya.exe (PID: 8040)
      • Ghiya.exe (PID: 8068)

    • Reads the computer name

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)
      • AK47.exe (PID: 7932)
      • Ghiya.exe (PID: 8040)
      • AK74.exe (PID: 7976)
      • Ghiya.exe (PID: 8068)

    • Process checks computer location settings

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Create files in a temporary directory

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • VMProtect protector has been detected

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Creates files or folders in the user directory

      • 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe (PID: 7868)

    • Checks proxy server information

      • slui.exe (PID: 7272)

    • Reads the software policy settings

      • slui.exe (PID: 7272)

    • UPX packer has been detected

      • Ghiya.exe (PID: 8068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:03:29 14:48:39+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 3530752
InitializedDataSize: 835584
UninitializedDataSize: -
EntryPoint: 0x2dfb0a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: Windows 配置程序
ProductName: Windows 核心进程
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
14
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #GH0ST 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe ak47.exe ak47.exe no specs #GH0ST ak74.exe #GH0ST ghiya.exe no specs cmd.exe no specs #SAINBOX ghiya.exe conhost.exe no specs ping.exe no specs wscript.exe no specs wscript.exe no specs ö÷¶¯·àóù·þîñ䣿é.exe no specs slui.exe 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228C:\WINDOWS\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\1100453.txt",MainThreadC:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ö÷¶¯·àóù·þîñ䣿é.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7372"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exe46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7380"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exe46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7764"C:\Users\admin\Desktop\46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe" C:\Users\admin\Desktop\46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7868"C:\Users\admin\Desktop\46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe" C:\Users\admin\Desktop\46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7932"C:\Users\admin\AppData\Local\Temp\AK47.exe" C:\Users\admin\AppData\Local\Temp\AK47.exe
46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
User:
admin
Company:
FEIM Studios
Integrity Level:
HIGH
Description:
A Free Enterprise Instant Messenger
Exit code:
0
Version:
3, 5, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\ak47.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7940C:\Users\admin\AppData\Local\Temp\\AK47.exeC:\Users\admin\AppData\Local\Temp\AK47.exe46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
User:
admin
Company:
FEIM Studios
Integrity Level:
HIGH
Description:
A Free Enterprise Instant Messenger
Exit code:
0
Version:
3, 5, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\ak47.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7976C:\Users\admin\AppData\Local\Temp\\AK74.exeC:\Users\admin\AppData\Local\Temp\AK74.exe
46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ak74.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8040C:\WINDOWS\SysWOW64\Ghiya.exe -autoC:\Windows\SysWOW64\Ghiya.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\syswow64\ghiya.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 291
Read events
8 272
Write events
19
Delete events
0

Modification events

(PID) Process:(7868) 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7868) 46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:360safo
Value:
C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Type
Value:
2
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Start
Value:
1
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ErrorControl
Value:
0
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ImagePath
Value:
system32\DRIVERS\QAssist.sys
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DisplayName
Value:
QAssist
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Group
Value:
FSFilter Activity Monitor
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DependOnService
Value:
FltMgr
(PID) Process:(8068) Ghiya.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DebugFlags
Value:
0
Executable files
7
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
786846f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeC:\Users\admin\AppData\Local\Temp\AK74.exeexecutable
MD5:B0998AA7D5071D33DAA5B60B9C3C9735
SHA256:3080B6BB456564899B0D99D4131BD6A0B284D31F7D80EF773E4872D94048D49A
786846f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:64B34A9EC56336E309F7904917C2E847
SHA256:DD5B9AB5B23629076313EE9E9184EC4D8A6F9BF75EAFA8BE8EECF7D428045A2E
7932AK47.exeC:\Windows\SysWOW64\1100453.txtexecutable
MD5:591D30B83189A48F1E4D6F3E9B716F73
SHA256:CFC3BEB59676AC47A1C705E7B2B0D8147B63D386619546985FCA5BB73E0235EE
786846f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeC:\Users\admin\AppData\Roaming\svchcst.exeexecutable
MD5:1692C83E2458AC66B48699FBC64162C4
SHA256:46F691B1CC209E31EB9FB5875C45C41DA72687B1C454C61F2D4526DAECA143BF
7976AK74.exeC:\Windows\SysWOW64\Ghiya.exeexecutable
MD5:B0998AA7D5071D33DAA5B60B9C3C9735
SHA256:3080B6BB456564899B0D99D4131BD6A0B284D31F7D80EF773E4872D94048D49A
786846f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnkbinary
MD5:0DFC6AAF0513E8335F9880A21FC65151
SHA256:92865322A0E45A82F8D5526AA90C69DF557152AAAD4AD4600D16B2756A9CA4C7
786846f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeC:\Users\admin\AppData\Local\Temp\AK47.exeexecutable
MD5:423EB994ED553294F8A6813619B8DA87
SHA256:050B4F2D5AE8EAECD414318DC8E222A56F169626DA6CA8FEB7EDD78E8B1F0218
7932AK47.exeC:\Windows\SysWOW64\ini.initext
MD5:41B03E1A649DC62861F3FB8F50477ADA
SHA256:ECB7EFB49BA652FF8F270BE6437FEFFBE34EC98AD156B24173BF763586F2F566
786846f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exeC:\Users\admin\AppData\Roaming\Microsoft\Config.initext
MD5:29CE53E2A4A446614CCC8D64D346BDE4
SHA256:56225BE6838BC6E93EA215891EACF28844AE27A9F8B2B29BF19D3A8C2B1F58DF
8068Ghiya.exeC:\Windows\System32\drivers\QAssist.sysexecutable
MD5:4E34C068E764AD0FF0CB58BC4F143197
SHA256:6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
25
DNS requests
35
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
7868
46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf.exe
43.249.193.73:54997
CHINA UNICOM China169 Backbone
CN
unknown
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7500
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7272
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
cf1549064127.f3322.net
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
46f691b1cc209e31eb9fb5875c45c41da72687b1c454c61f2d4526daeca143bf