File name:

KMS_Suite.v9.EN.cmd

Full analysis: https://app.any.run/tasks/7bf49a48-36d2-4023-89ad-8baadf16b483
Verdict: Malicious activity
Analysis date: December 10, 2024, 18:02:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

F9906448D778C93D1B96F87E92E9B436

SHA1:

6ABA4598E1D4D6229660AD7DCA38783E023032A6

SHA256:

54C33E9C26EF68F0521CB6D6A416FCD2A6C22537D49ADE62DB6935CCC4129927

SSDEEP:

6144:v//IcTFOn9KJVZPIlhkWbN9W3KunRn5VgkTa0phULoqrHC4e4ywKJO32R2V2Dpl8:vIWFOns5QfROnPVg69kLomHC2yUl2N6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 5968)
      • net.exe (PID: 3812)

  • SUSPICIOUS

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 4244)
      • net.exe (PID: 3688)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 4244)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 7040)
      • cmd.exe (PID: 5968)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 4244)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 7040)
      • cmd.exe (PID: 5968)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6212)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6628)

    • Unpacks CAB file

      • expand.exe (PID: 6964)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 6964)
      • xcopy.exe (PID: 7016)
      • csc.exe (PID: 6628)

    • Starts process via Powershell

      • powershell.exe (PID: 7080)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 7080)
      • cmd.exe (PID: 4244)

    • Process drops legitimate windows executable

      • expand.exe (PID: 6964)

    • Application launched itself

      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 5968)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 7080)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 5968)

    • The executable file from the user directory is run by the CMD process

      • center.exe (PID: 5256)
      • center.exe (PID: 7064)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3524)
      • wscript.exe (PID: 5096)
      • wscript.exe (PID: 7156)

    • The process executes VB scripts

      • cmd.exe (PID: 5968)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3524)
      • wscript.exe (PID: 7156)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5096)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 4976)
      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 7088)
      • cmd.exe (PID: 5032)
      • cmd.exe (PID: 5320)
      • cmd.exe (PID: 5836)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 5968)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 5968)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 904)
      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 3876)
      • cmd.exe (PID: 4556)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 904)
      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 5968)

    • Manipulates environment variables

      • powershell.exe (PID: 6212)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 5096)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5968)

    • Hides command output

      • cmd.exe (PID: 5404)
      • cmd.exe (PID: 1572)
      • cmd.exe (PID: 4704)
      • cmd.exe (PID: 3832)
      • cmd.exe (PID: 5080)
      • cmd.exe (PID: 4556)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5968)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 5968)

  • INFO

    • Checks supported languages

      • mode.com (PID: 6188)
      • expand.exe (PID: 6964)
      • cvtres.exe (PID: 6692)
      • csc.exe (PID: 6628)
      • mode.com (PID: 904)
      • center.exe (PID: 5256)
      • mode.com (PID: 5604)
      • DisableX.exe (PID: 2972)
      • DisableX.exe (PID: 6844)
      • mode.com (PID: 3912)
      • center.exe (PID: 7064)
      • mode.com (PID: 7116)
      • mode.com (PID: 5720)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6628)
      • expand.exe (PID: 6964)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6692)
      • expand.exe (PID: 6964)
      • xcopy.exe (PID: 7016)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6212)

    • The sample compiled with english language support

      • expand.exe (PID: 6964)
      • xcopy.exe (PID: 7016)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 904)
      • mode.com (PID: 5604)
      • mode.com (PID: 6728)
      • mode.com (PID: 6188)
      • mode.com (PID: 6980)
      • mode.com (PID: 7116)
      • mode.com (PID: 3912)
      • mode.com (PID: 5720)
      • mode.com (PID: 5604)

    • The process uses the downloaded file

      • cmd.exe (PID: 5968)
      • wscript.exe (PID: 3524)

    • Checks operating system version

      • cmd.exe (PID: 5968)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5268)
      • WMIC.exe (PID: 6680)
      • WMIC.exe (PID: 7120)
      • WMIC.exe (PID: 6232)
      • WMIC.exe (PID: 3732)
      • WMIC.exe (PID: 5316)
      • WMIC.exe (PID: 4724)
      • WMIC.exe (PID: 2040)
      • WMIC.exe (PID: 5880)
      • WMIC.exe (PID: 6076)
      • WMIC.exe (PID: 5240)
      • WMIC.exe (PID: 5872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
285
Monitored processes
157
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs mode.com no specs powershell.exe no specs csc.exe cvtres.exe no specs expand.exe xcopy.exe cmd.exe no specs reg.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs mode.com no specs powershell.exe no specs center.exe no specs wscript.exe no specs disablex.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mode.com no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs wscript.exe no specs reg.exe no specs mode.com no specs powershell.exe no specs center.exe no specs wscript.exe no specs disablex.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mode.com no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs choice.exe no specs choice.exe no specs wscript.exe no specs cmd.exe no specs findstr.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs icacls.exe no specs find.exe no specs icacls.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : ' , |]*^"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
556C:\WINDOWS\system32\cmd.exe /c time /tC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
556REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
648icacls "C:\WINDOWS\System32\KMS.dll" /findsid *S-1-5-32-545 C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
768reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
904mode con: cols=90 lines=40C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ureg.dll
904C:\WINDOWS\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c') get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, DiscoveredKeyManagementServiceMachineIpAddress, KeyManagementServiceLookupDomain, ProductKeyChannel, VLActivationTypeEnabled /value" | findstr =C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
904FIND /I "0x70" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
936C:\WINDOWS\system32\net1 start sppsvc /y C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
1328cmd /c exit /b 0C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 781
Read events
24 768
Write events
13
Delete events
0

Modification events

(PID) Process:(5968) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(6856) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform
Operation:writeName:NoGenTicket
Value:
1
(PID) Process:(2040) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:VerifierDlls
Value:
KMS.dll
(PID) Process:(7108) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:VerifierDebug
Value:
0
(PID) Process:(7136) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:VerifierFlags
Value:
(PID) Process:(5268) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:GlobalFlag
Value:
256
(PID) Process:(7084) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_Emulation
Value:
1
(PID) Process:(6200) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_ActivationInterval
Value:
43200
(PID) Process:(5712) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_HWID
Value:
7600B60096041C3A
(PID) Process:(6076) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_RenewalInterval
Value:
43200
Executable files
28
Suspicious files
3
Text files
55
Unknown types
1

Dropped files

PID
Process
Filename
Type
6628csc.exeC:\Users\admin\AppData\Local\Temp\CSC3DE4C58248FC41529C11263D878AC7D.TMPres
MD5:39C06700F5A227E9F7B7F7F6FC0B1F01
SHA256:8BCEB0C09BF6C8508269045FE587ACFDD3875FEC52468F95CE4E11D832CC13F4
6628csc.exeC:\Users\admin\AppData\Local\Temp\5owkljzn.outtext
MD5:5A5F7E81228505F7680075F47E86BB30
SHA256:1D514630419CAD17D8DB1F1742BF9F3EE0403D396B82F7EEE8A646601FF7DA4F
6212powershell.exeC:\Users\admin\AppData\Local\Temp\5owkljzn.cmdlinetext
MD5:4026B173A55C8CFBC96FCA1B032095C0
SHA256:B4B654855D4C088B748AC0C2D6EB9B580200B3EA4DD2F597ED14E059AA8C77C8
6692cvtres.exeC:\Users\admin\AppData\Local\Temp\RES5DD3.tmpo
MD5:AA9824B10BADA9030929B27355425FCC
SHA256:6B87DA2E970AA7D4FAE5CFAC42CC2ABE5854115C65B1A0B8C07191F560BAAD47
6212powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cp4b5vcl.ryt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6212powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jrbachpy.1wj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6964expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\center.exeexecutable
MD5:0A847EAFDDC4529388E1A1B291354CF8
SHA256:69533D9B66B840B4764F901CD6A502D12453B604617A841F4C2C602FC87DF255
6964expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\Digital\Digital_KMS38.cmdtext
MD5:7ACB31D34D4D1E86A98B8C4C4E214D10
SHA256:3372925083552A8E3CB65B56F7E1886E567E00D6ADBE241401C361ABD65DE7ED
6628csc.exeC:\Users\admin\AppData\Local\Temp\5owkljzn.dllexecutable
MD5:B4F093C6E8174724AB61C486D3E9AD1E
SHA256:468612D83756B30F02E5BE789A2915FE644100F90BDE04B1DFADB258A5759973
6212powershell.exeC:\Users\admin\AppData\Local\Temp\1compressed
MD5:2F3B771C22DB25813A4530B5BAE62636
SHA256:9B6B0BDEDBC8B408D93F5FC4FC69605CE6547894D9B0A263920CD8911D2B44B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6388
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4668
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4668
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.141:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 2.23.209.141
  • 2.23.209.183
  • 2.23.209.182
  • 2.23.209.144
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.135
  • 2.23.209.187
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.64
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.105.99.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMS_Suite.v9.EN.cmd