File name:

6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe

Full analysis: https://app.any.run/tasks/80d0f5dc-95ab-4fe4-aec6-58c234c3ba23
Verdict: Malicious activity
Threats:

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Malware Trends Tracker     >>>
Analysis date: June 29, 2024, 22:33:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phobos
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2C78F28A0F3DBD0F45F96F4AEE72E8EE

SHA1:

F10803CF1D160020E3F611E9F2DD8BE93CB7D7EF

SHA256:

6597018298AAAC827ABB1C58E4B6D7967993B4012EAA83B5540475E0F4F9D34F

SSDEEP:

1536:KymNrLwC/WPYQ3CUXe3f/fgYoPPK2wxufMIzXofka:Kymdw49Q3teHfgYUK3xAzXe3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3380)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • PHOBOS has been detected

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Changes the autorun value in the registry

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3380)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Create files in the Startup directory

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Deletes shadow copies

      • cmd.exe (PID: 2108)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 2108)

    • Actions looks like stealing of personal data

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Renames files like ransomware

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3400)

    • Application launched itself

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3400)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3380)

    • Starts CMD.EXE for commands execution

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Reads the Internet Settings

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3400)
      • notepad.exe (PID: 2856)
      • WMIC.exe (PID: 4012)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2852)
      • wbengine.exe (PID: 2120)
      • vds.exe (PID: 2328)

    • Process drops legitimate windows executable

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Executable content was dropped or overwritten

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Creates file in the systems drive root

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2300)

    • The process creates files with name similar to system file names

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Reads browser cookies

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

  • INFO

    • Checks supported languages

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3380)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3400)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Reads the computer name

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3400)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3380)
      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Creates files or folders in the user directory

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Creates files in the program directory

      • 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe (PID: 3372)

    • Manual execution by a user

      • notepad.exe (PID: 2856)
      • notepad.exe (PID: 832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:31 14:17:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 34304
InitializedDataSize: 15872
UninitializedDataSize: -
EntryPoint: 0x2fa7
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
19
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe no specs 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe cmd.exe no specs cmd.exe no specs vssadmin.exe no specs netsh.exe no specs vssvc.exe no specs netsh.exe no specs PhotoViewer.dll no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs notepad.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
832"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\test.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1044vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1516bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2080netsh advfirewall set currentprofile state offC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2108"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exe6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2120"C:\Windows\system32\wbengine.exe"C:\Windows\System32\wbengine.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Block Level Backup Engine Service EXE
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbengine.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2300"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exe6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2328C:\Windows\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
2852C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2856"C:\Windows\system32\notepad.exe" C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
10 237
Read events
10 063
Write events
170
Delete events
4

Modification events

(PID) Process:(3400) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3400) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3400) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3400) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3372) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f
Value:
C:\Users\admin\AppData\Local\6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe
(PID) Process:(3372) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f
Value:
C:\Users\admin\AppData\Local\6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe
(PID) Process:(2080) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3676) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3380) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f
Value:
C:\Users\admin\AppData\Local\6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe
(PID) Process:(3380) 6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f
Value:
C:\Users\admin\AppData\Local\6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe
Executable files
174
Suspicious files
3 826
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3483].[recovery8files@onionmail.org].8base
MD5:
SHA256:
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3483].[recovery8files@onionmail.org].8base
MD5:
SHA256:
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3483].[recovery8files@onionmail.org].8base
MD5:
SHA256:
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini.id[C4BA3647-3483].[recovery8files@onionmail.org].8basebinary
MD5:8BB6B4704FEF80ECC613B6436E7AB315
SHA256:F15255671D1E898D39B5BCB55EA494D9EE7CF381740545989519CCE24EB39581
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\branding.xml.id[C4BA3647-3483].[recovery8files@onionmail.org].8basebinary
MD5:D5DFD00EC358F57E97A034B017CDD73A
SHA256:A2068C5BCACEC04A78C8FB662311217BC6410D825367FCE7CA9DDB09BD2413C8
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccLR.cab.id[C4BA3647-3483].[recovery8files@onionmail.org].8base
MD5:
SHA256:
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini.id[C4BA3647-3483].[recovery8files@onionmail.org].8basebinary
MD5:1E4DF5F7ABBE3D13DBE5DE1C9A8977DA
SHA256:8FA4257FC3EB624F4C415DFF2994BBBFCE9BB14E5A9315ED3CC31AAF1874B1DD
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\branding.xml.id[C4BA3647-3483].[recovery8files@onionmail.org].8basebinary
MD5:8CA5A0927EE43F242D51989C544AAC97
SHA256:58E5F3FE98F81EB3388D155C0857C8D47B2BB401D8DCF7AFC9AA1BC2EFF7BAD9
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\Users\admin\AppData\Local\6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeexecutable
MD5:2C78F28A0F3DBD0F45F96F4AEE72E8EE
SHA256:6597018298AAAC827ABB1C58E4B6D7967993B4012EAA83B5540475E0F4F9D34F
33726597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\Setup.xml.id[C4BA3647-3483].[recovery8files@onionmail.org].8basebinary
MD5:AD53EF0D52EAA1AF8AF11AF69BD01C21
SHA256:47F81E5620A677CCFECA3C1602F76ABD2199E3CB5966B85FF5F1D975E526053F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6597018298aaac827abb1c58e4b6d7967993b4012eaa83b5540475e0f4f9d34f.exe