File name:

uddi.Setup.10.exe

Full analysis: https://app.any.run/tasks/7511aed3-bdf9-4641-be6d-c83c9ca51057
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: September 09, 2024, 07:26:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gh0st
rat
stealer
remote
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

74346C84A933EA45008317F94D8AB712

SHA1:

667A4292899ECD89CC5E344EC1367CE29EF3323D

SHA256:

528619F0EC01A0929411CCB77B7183853BBC41A5AA00880CAF32EFAD5458A6B4

SSDEEP:

6144:/7svVK32p6rlgbnSzdcx4toxGcir8AHd2z:/70p6rlInSxcxhxkr8A92z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • p5kkPz.exe (PID: 3980)

    • Gh0st has been detected

      • p5kkPz.exe (PID: 3980)

    • Connects to the CnC server

      • p5kkPz.exe (PID: 3980)

    • GH0ST has been detected (SURICATA)

      • p5kkPz.exe (PID: 3980)

    • Adds path to the Windows Defender exclusion list

      • p5kkPz.exe (PID: 3980)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • uddi.Setup.10.exe (PID: 508)
      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Reads the date of Windows installation

      • uddi.Setup.10.exe (PID: 508)
      • dX1t2c.exe (PID: 4344)

    • Application launched itself

      • uddi.Setup.10.exe (PID: 508)

    • Checks Windows Trust Settings

      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Executable content was dropped or overwritten

      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • The process executes via Task Scheduler

      • dX1t2c.exe (PID: 6816)
      • dX1t2c.exe (PID: 4344)
      • cTETul2o.exe (PID: 3180)
      • mpGtytYB.exe (PID: 5344)

    • Drops a system driver (possible attempt to evade defenses)

      • uddi.Setup.10.exe (PID: 5532)

    • Creates file in the systems drive root

      • p5kkPz.exe (PID: 3980)
      • cmd.exe (PID: 6576)

    • The process verifies whether the antivirus software is installed

      • p5kkPz.exe (PID: 3980)

    • Starts CMD.EXE for commands execution

      • p5kkPz.exe (PID: 3980)

    • Contacting a server suspected of hosting an CnC

      • p5kkPz.exe (PID: 3980)

    • Connects to unusual port

      • p5kkPz.exe (PID: 3980)

    • There is functionality for taking screenshot (YARA)

      • p5kkPz.exe (PID: 3980)

    • Starts POWERSHELL.EXE for commands execution

      • p5kkPz.exe (PID: 3980)

    • Script adds exclusion path to Windows Defender

      • p5kkPz.exe (PID: 3980)

  • INFO

    • Checks supported languages

      • uddi.Setup.10.exe (PID: 508)
      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 6816)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)
      • cTETul2o.exe (PID: 3180)

    • The process uses the downloaded file

      • uddi.Setup.10.exe (PID: 508)
      • dX1t2c.exe (PID: 4344)
      • powershell.exe (PID: 4088)
      • p5kkPz.exe (PID: 3980)

    • Reads the computer name

      • uddi.Setup.10.exe (PID: 508)
      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Process checks computer location settings

      • uddi.Setup.10.exe (PID: 508)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)

    • Checks proxy server information

      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Reads the software policy settings

      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Reads the machine GUID from the registry

      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Creates files or folders in the user directory

      • uddi.Setup.10.exe (PID: 5532)
      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Creates files in the program directory

      • dX1t2c.exe (PID: 4344)
      • p5kkPz.exe (PID: 3980)
      • mpGtytYB.exe (PID: 5344)

    • Sends debugging messages

      • p5kkPz.exe (PID: 3980)

    • Reads CPU info

      • p5kkPz.exe (PID: 3980)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4088)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4088)

    • Create files in a temporary directory

      • mpGtytYB.exe (PID: 5344)

    • UPX packer has been detected

      • mpGtytYB.exe (PID: 5344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2017:05:15 03:00:34+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 11
CodeSize: 83456
InitializedDataSize: 64000
UninitializedDataSize: -
EntryPoint: 0x6e2c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.64.0.12
ProductVersionNumber: 1.64.0.12
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Traditional)
CharacterSet: Unicode
FileDescription: FMAPP Application
FileVersion: 1.64.0.12
InternalName: FMAPP
LegalCopyright: Copyright (C) 2010
OriginalFileName: FMAPP.EXE
ProductName: FMAPP Application
ProductVersion: 1.64.0.12
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
12
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start uddi.setup.10.exe no specs uddi.setup.10.exe dx1t2c.exe no specs dx1t2c.exe svchost.exe #GH0ST p5kkpz.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs ctetul2o.exe no specs THREAT mpgtytyb.exe

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\Users\admin\Desktop\uddi.Setup.10.exe" C:\Users\admin\Desktop\uddi.Setup.10.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FMAPP Application
Exit code:
0
Version:
1.64.0.12
Modules
Images
c:\users\admin\desktop\uddi.setup.10.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3180"C:\ProgramData\cTETul2o.exe"C:\ProgramData\cTETul2o.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\ctetul2o.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3980"C:\Program Files (x86)\p5kkPz\p5kkPz.exe" C:\Program Files (x86)\p5kkPz\p5kkPz.exe
dX1t2c.exe
User:
admin
Company:
Sandboxie-Plus.com
Integrity Level:
HIGH
Description:
Sandboxie COM Services (BITS)
Version:
5.69.0
Modules
Images
c:\program files (x86)\p5kkpz\p5kkpz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4088"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -ForceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exep5kkPz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4344"C:\Users\dX1t2c\dX1t2c.exe"C:\Users\dX1t2c\dX1t2c.exe
svchost.exe
User:
admin
Company:
CA, Inc., a Broadcom subsidiary
Integrity Level:
HIGH
Description:
64 bit PGP CBT Hook Executable
Version:
11.0.0 (Build 1042)
Modules
Images
c:\users\dx1t2c\dx1t2c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5344"C:\ProgramData\qArARghy\mpGtytYB.exe"C:\ProgramData\qArARghy\mpGtytYB.exe
svchost.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
TrueUpdate Client
Version:
3.8.0.0
Modules
Images
c:\programdata\qararghy\mpgtytyb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5532"C:\Users\admin\Desktop\uddi.Setup.10.exe" C:\Users\admin\Desktop\uddi.Setup.10.exe
uddi.Setup.10.exe
User:
admin
Integrity Level:
HIGH
Description:
FMAPP Application
Exit code:
0
Version:
1.64.0.12
Modules
Images
c:\users\admin\desktop\uddi.setup.10.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6576cmd /c echo.>c:\xxxx.iniC:\Windows\SysWOW64\cmd.exep5kkPz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 280
Read events
9 252
Write events
28
Delete events
0

Modification events

(PID) Process:(5532) uddi.Setup.10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5532) uddi.Setup.10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5532) uddi.Setup.10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4344) dX1t2c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4344) dX1t2c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4344) dX1t2c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4344) dX1t2c.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3980) p5kkPz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(3980) p5kkPz.exeKey:HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron
Operation:writeName:Groupfenzhu
Value:
(PID) Process:(3980) p5kkPz.exeKey:HKEY_CURRENT_USER\SOFTWARE\Sauron
Operation:writeName:Remarkbeizhu
Value:
Executable files
10
Suspicious files
11
Text files
28
Unknown types
1

Dropped files

PID
Process
Filename
Type
5532uddi.Setup.10.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_9846178851E5A66B7B121BA7D417F710der
MD5:A3B2EE3D42B1137495FDB6ABE88FA515
SHA256:F7122BAAEA9581D21295DFA3A9B802A1C10E77F963BEACFD22B6FCD01569EDFF
5532uddi.Setup.10.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\b[1].gifimage
MD5:4254DA2B440EF6D1AF5EB8654447DBDD
SHA256:C6195993F9B2EB3932951D219908B56048E8568CB2797EA0C7603ECB707BBDE0
5532uddi.Setup.10.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\i[1].datbinary
MD5:01C3371898DEC59489DD88289D7FE89F
SHA256:D1664720338F1EDC58A226A765147D3D7621784F4DB318485A209B154382A6C9
5532uddi.Setup.10.exeC:\Users\dX1t2c\dX1t2c.exeexecutable
MD5:077F1A259DFF42F13E161CEF54CF68A4
SHA256:29FD67A01830B789DA4241C85F758AD2B0CB7D6E4804F9129344E5C2FCBC301E
5532uddi.Setup.10.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475der
MD5:DB9B8D08E728910E992A8E8C781A1099
SHA256:1C0E3322115496082207E1D425F60D0E81219270ABAF890F4F6F00F88BFBDCA5
4344dX1t2c.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\FOM-51[1].jpg
MD5:
SHA256:
5532uddi.Setup.10.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\a[1].gifimage
MD5:5E7BEB6051D93CB60C2810BB74405951
SHA256:77BD0EF8A95D3042D7E147DB49A583656E825BAFA18E00AFD631F60499A0287B
4344dX1t2c.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\FOM-52[1].jpg
MD5:
SHA256:
4344dX1t2c.exeC:\Program Files (x86)\p5kkPz\log.src
MD5:
SHA256:
5532uddi.Setup.10.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_9846178851E5A66B7B121BA7D417F710binary
MD5:E2700AB9725C58BE78C0F64CE7B6925A
SHA256:71F082129C642AED68D058BE25DA1E855051EC1382A5B35A8ABE5F70327C6C43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
48
DNS requests
19
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5532
uddi.Setup.10.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkcHsQGaDFetObPhfan5
unknown
whitelisted
1440
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5532
uddi.Setup.10.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/gsorganizationvalsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSVLM6m9XSaK2pXyc357yFJVjgNwQQUaIa4fXrZbUlrhy8YixU0bNe0eg4CDEUBn06G5%2Fau8iuoIA%3D%3D
unknown
whitelisted
3292
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4344
dX1t2c.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/gsorganizationvalsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSVLM6m9XSaK2pXyc357yFJVjgNwQQUaIa4fXrZbUlrhy8YixU0bNe0eg4CDFch5OVz%2FH8JKgSY1Q%3D%3D
unknown
whitelisted
3292
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7128
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5532
uddi.Setup.10.exe
39.97.203.104:443
69sso.oss-cn-beijing.aliyuncs.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
suspicious
5532
uddi.Setup.10.exe
104.18.20.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
1440
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.113.103.199
whitelisted
69sso.oss-cn-beijing.aliyuncs.com
  • 39.97.203.104
unknown
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.140
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
5532
uddi.Setup.10.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
2256
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
4344
dX1t2c.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
2256
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3980
p5kkPz.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
5344
mpGtytYB.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
3 ETPRO signatures available at the full report
Process
Message
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
p5kkPz.exe
Thread running...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
uddi.Setup.10.exe