File name:

virus.zip

Full analysis: https://app.any.run/tasks/111be40b-626a-463f-bb7f-827e79096f58
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 00:47:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
attachments
attc-unc
arch-exec
arch-doc
stealer
lumma
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

200E60440114A7D93916B0D862E44C24

SHA1:

428E8CC692E70299996EF5BCF506F7212417CDA6

SHA256:

712A0749FD010E635EB1EA6D8D9EB685CC52FB353043A140B33F1C4902DD94D9

SSDEEP:

196608:piLtGpDWFMcnkqhzRRNT8HWTK1jm8bRVCqdz:vpenHRPTrTCjm8FVdz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7412)

    • Known privilege escalation attack

      • dllhost.exe (PID: 8188)

    • LUMMA mutex has been found

      • svchost.exe (PID: 660)
      • svchost.exe (PID: 6480)

    • Steals credentials from Web Browsers

      • svchost.exe (PID: 660)
      • svchost.exe (PID: 6480)

    • Executing a file with an untrusted certificate

      • kcpytkt.exe (PID: 7800)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 7412)
      • Set-up.exe (PID: 7300)

    • Executable content was dropped or overwritten

      • Set-up.exe (PID: 7300)
      • Set-up.exe (PID: 5404)

    • The process drops C-runtime libraries

      • Set-up.exe (PID: 7300)

    • Starts application with an unusual extension

      • Set-up.exe (PID: 7300)
      • Set-up.exe (PID: 1512)
      • Set-up.exe (PID: 5404)
      • Set-up.exe (PID: 680)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 5728)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 660)

    • Searches for installed software

      • svchost.exe (PID: 660)
      • svchost.exe (PID: 6480)

    • Executes application which crashes

      • git-credential-manager-ui.exe (PID: 7000)

  • INFO

    • The sample compiled with russian language support

      • WinRAR.exe (PID: 7412)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7412)
      • Set-up.exe (PID: 7300)
      • Set-up.exe (PID: 5404)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7236)
      • BackgroundTransferHost.exe (PID: 5556)
      • BackgroundTransferHost.exe (PID: 5728)
      • BackgroundTransferHost.exe (PID: 4988)
      • BackgroundTransferHost.exe (PID: 4000)
      • dllhost.exe (PID: 8188)
      • Taskmgr.exe (PID: 8088)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 5556)
      • slui.exe (PID: 6436)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7412)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 5556)
      • slui.exe (PID: 7584)
      • slui.exe (PID: 6436)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 5556)
      • WerFault.exe (PID: 2552)

    • Manual execution by a user

      • Set-up.exe (PID: 7300)
      • Taskmgr.exe (PID: 7768)
      • Taskmgr.exe (PID: 8088)
      • Set-up.exe (PID: 5404)
      • Acrobat.exe (PID: 3032)
      • WhoUses.exe (PID: 4016)
      • kcpytkt.exe (PID: 7800)
      • KillProc_framewoork.exe (PID: 7496)
      • KillProc_framewoork.exe (PID: 4200)
      • git-credential-manager-ui.exe (PID: 7000)
      • ArmouryHtmlDebugServer.exe (PID: 7948)
      • Set-up.exe (PID: 680)

    • Creates files in the program directory

      • Set-up.exe (PID: 7300)

    • Reads the computer name

      • Set-up.exe (PID: 7300)
      • more.com (PID: 5680)
      • Set-up.exe (PID: 1512)
      • MSBuild.exe (PID: 5988)
      • more.com (PID: 1188)
      • ShellExperienceHost.exe (PID: 5728)
      • Set-up.exe (PID: 5404)
      • MSBuild.exe (PID: 2420)
      • more.com (PID: 8144)
      • git-credential-manager-ui.exe (PID: 7000)
      • Set-up.exe (PID: 680)
      • more.com (PID: 2840)
      • Set-up.exe (PID: 2852)

    • Checks supported languages

      • Set-up.exe (PID: 7300)
      • more.com (PID: 5680)
      • Set-up.exe (PID: 1512)
      • MSBuild.exe (PID: 5988)
      • more.com (PID: 1188)
      • ShellExperienceHost.exe (PID: 5728)
      • Set-up.exe (PID: 5404)
      • MSBuild.exe (PID: 2420)
      • more.com (PID: 8144)
      • KillProc_framewoork.exe (PID: 4200)
      • git-credential-manager-ui.exe (PID: 7000)
      • Set-up.exe (PID: 2852)
      • ArmouryHtmlDebugServer.exe (PID: 7948)
      • Set-up.exe (PID: 680)
      • more.com (PID: 2840)

    • Create files in a temporary directory

      • Set-up.exe (PID: 7300)
      • Set-up.exe (PID: 1512)
      • Set-up.exe (PID: 5404)
      • Set-up.exe (PID: 680)
      • Set-up.exe (PID: 2852)

    • Reads the machine GUID from the registry

      • more.com (PID: 5680)
      • MSBuild.exe (PID: 5988)
      • MSBuild.exe (PID: 2420)
      • git-credential-manager-ui.exe (PID: 7000)
      • more.com (PID: 2840)

    • Application launched itself

      • Acrobat.exe (PID: 3032)
      • AcroCEF.exe (PID: 7912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (21)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:03:24 00:46:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: virus/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
51
Malicious processes
4
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs rundll32.exe no specs set-up.exe more.com no specs conhost.exe no specs CMSTPLUA set-up.exe no specs msbuild.exe no specs more.com no specs conhost.exe no specs #LUMMA svchost.exe shellexperiencehost.exe no specs slui.exe taskmgr.exe no specs taskmgr.exe set-up.exe msbuild.exe no specs more.com no specs conhost.exe no specs #LUMMA svchost.exe acrobat.exe no specs acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs whouses.exe no specs conhost.exe no specs killproc_framewoork.exe no specs killproc_framewoork.exe kcpytkt.exe no specs conhost.exe no specs git-credential-manager-ui.exe conhost.exe no specs werfault.exe no specs armouryhtmldebugserver.exe no specs set-up.exe no specs more.com no specs conhost.exe no specs set-up.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exegit-credential-manager-ui.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660"C:\WINDOWS\system32\svchost.exe"C:\Windows\SysWOW64\svchost.exe
MSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
680"C:\Users\admin\Desktop\virus\Set-up.exe" C:\Users\admin\Desktop\virus\Set-up.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\virus\set-up.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\users\admin\desktop\virus\qtgui4.dll
c:\users\admin\desktop\virus\qtcore4.dll
736C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
976\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSet-up.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
1188"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1760 --field-trial-handle=1604,i,4417630830600772824,6645803987201412889,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1512"C:\Users\admin\Desktop\virus\Set-up.exe" C:\Users\admin\Desktop\virus\Set-up.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\virus\set-up.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\users\admin\desktop\virus\qtcore4.dll
c:\users\admin\desktop\virus\qtgui4.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2420C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSet-up.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\local\temp\agrsjrqvgi
c:\windows\syswow64\msi.dll
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
Total events
21 940
Read events
21 745
Write events
184
Delete events
11

Modification events

(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\virus.zip
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7412) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7236) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7236) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
61
Suspicious files
125
Text files
60
Unknown types
0

Dropped files

PID
Process
Filename
Type
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\libcrypto-1_1.dll
MD5:
SHA256:
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\Microsoft.VisualStudio.ErrorListPkg.dllexecutable
MD5:1F717A2FC767EB7B51EE3140C28EC1EF
SHA256:9DC36A6660C950524D4D32F0E4D3E0D4BDA680C0B6301FA7B2F3F2B70E38340B
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\Microsoft.TeamFoundation.Build.Controls.resources.dllexecutable
MD5:5E4844DB9B214C6F38C69126303DADEF
SHA256:76758C8F90CC0554B010D580E21F4DDB1C41797F17ECD62EA968DC381AFA024C
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Comn.dllexecutable
MD5:F76F5A566CBB5F561D26E7ACA841C723
SHA256:9DAAED978746AA51B30F27104D89CC16230042E41427E610A8E609CDBCFDC964
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\msdaprst.dllexecutable
MD5:D3A9EDA2566F64BFD3146E2C26DA8372
SHA256:C308D0C0DD685A00EB438647DD747FEC790119600A7D9F72D0576C95CAF04C6F
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\Microsoft.VisualStudio.VirtualTreeGrid.dllexecutable
MD5:998BAB9C30929322C18AB8E930F0015E
SHA256:D342BDF590631D3F6A8C84CADDF460085102827F2409C049B1274D766BF19417
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\Microsoft.VisualStudio.QualityTools.LoadTest.dllexecutable
MD5:FDD13B05EC617F772F7480078652B246
SHA256:B5425A112B25A297D0441A6465B5A20FDABC5F8DAE7D7DE8D7612B6C33EB2549
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\Microsoft.DotNet.Interactive.VisualStudio.dllexecutable
MD5:25CE12A0BE426368FD1B7D8F77308140
SHA256:993EA8DF3D1274C3B765C9F20A1D85E1219516CFCBB9412AC0B9BC81CF9827D2
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\cpfeui.dllexecutable
MD5:3726877F7B99918F1421608500FD9FB9
SHA256:4D825172A1D82CF346694135035DD3C467DC26726D5C9FEAA411D4722A66F6FD
7412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7412.4609\virus\Library\EnumIndex.dllexecutable
MD5:BA885CBC2E0CE2D0AEC9DA6E09F25A7B
SHA256:DF6EDCFD9DF09A338B08F127EE1E8063FE4B048C0215343E2DC8DB983AF5E34C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
46
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5556
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7652
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6512
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6512
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7652
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.143
whitelisted
login.live.com
  • 20.190.159.129
  • 40.126.31.1
  • 20.190.159.64
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.73
  • 40.126.31.130
  • 20.190.159.75
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.154
  • 104.126.37.139
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.185
  • 104.126.37.131
  • 104.126.37.128
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
660
svchost.exe
Potential Corporate Privacy Violation
ET INFO Dropbox.com Offsite File Backup in Use
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
virus.zip