File name:

72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc

Full analysis: https://app.any.run/tasks/4df26a5e-69eb-43ca-8cad-614297214c75
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 01:12:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
orcus
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

595866CE3023AA7A94A221BCFF8BFE15

SHA1:

F1F8C080B238B7EA66D0D42732268FCA9AE77364

SHA256:

72328A364B47DB12BAC7AA536CF3CB4C10C08712F762B8D85CE9307F45F2A7DC

SSDEEP:

98304:vIw6+hhhb1bUvQzvOrbsNVqZn/kGEWebnugM30F4ipW93MgB5hlsb5DzdfBXEwrZ:sIWg3b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Orcus is detected

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • Explorer.exe (PID: 5576)
      • Node S2-N.exe (PID: 6096)

    • ORCUS has been detected (YARA)

      • Explorer.exe (PID: 5576)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)

    • Starts a Microsoft application from unusual location

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 3608)
      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)

    • Reads security settings of Internet Explorer

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • WindowsInput.exe (PID: 4128)
      • Explorer.exe (PID: 5576)
      • Node S2-N.exe (PID: 6096)

    • Reads the date of Windows installation

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • Explorer.exe (PID: 5576)

    • Executes as Windows Service

      • WindowsInput.exe (PID: 3988)

    • Executable content was dropped or overwritten

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • Explorer.exe (PID: 5576)

    • The process creates files with name similar to system file names

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)

    • Starts itself from another location

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)

    • Connects to unusual port

      • Explorer.exe (PID: 5576)

    • Application launched itself

      • Node S2-N.exe (PID: 6096)

  • INFO

    • Checks supported languages

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • WindowsInput.exe (PID: 4128)
      • WindowsInput.exe (PID: 3988)
      • Explorer.exe (PID: 5576)
      • Node S2-N.exe (PID: 6096)
      • Node S2-N.exe (PID: 396)

    • Reads the computer name

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • WindowsInput.exe (PID: 4128)
      • WindowsInput.exe (PID: 3988)
      • Explorer.exe (PID: 5576)
      • Node S2-N.exe (PID: 6096)
      • Node S2-N.exe (PID: 396)

    • Reads the machine GUID from the registry

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • WindowsInput.exe (PID: 4128)
      • WindowsInput.exe (PID: 3988)
      • Explorer.exe (PID: 5576)

    • Process checks computer location settings

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • Explorer.exe (PID: 5576)
      • Node S2-N.exe (PID: 6096)

    • The process uses the downloaded file

      • WindowsInput.exe (PID: 4128)
      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)
      • Explorer.exe (PID: 5576)
      • Node S2-N.exe (PID: 6096)

    • Creates files in the program directory

      • 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe (PID: 1468)

    • Creates files or folders in the user directory

      • Explorer.exe (PID: 5576)

    • Reads Environment values

      • Explorer.exe (PID: 5576)

    • Reads the software policy settings

      • Explorer.exe (PID: 5576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Orcus

(PID) Process(5576) Explorer.exe
C2 (1)vimeworldserverstat.serveminecraft.net:3306
Keys
AESbc4ae1161e974bbd3edcbfb0a9c2e083dd2ec58477c0330681fec4333649a6af
Salt
Options
AutostartBuilderProperty
AutostartMethodTaskScheduler
TaskSchedulerTaskNameExplorer
TaskHighestPrivilegestrue
RegistryHiddenStarttrue
RegistryKeyNameOrcus
TryAllAutostartMethodsOnFailtrue
ChangeAssemblyInformationBuilderProperty
ChangeAssemblyInformationtrue
AssemblyTitleexplorer
AssemblyDescriptionПроводник
AssemblyCompanyNameMicrosoft Corporation
AssemblyProductNameОперационная система Microsoft® Windows®
AssemblyCopyright© Корпорация Майкрософт. Все права защищены.
AssemblyTrademarksnull
AssemblyProductVersion10.0.19041.0
AssemblyFileVersion6.2.19041.0
ChangeCreationDateBuilderProperty
IsEnabledfalse
NewCreationDate2024-12-07T17:49:14
ChangeIconBuilderProperty
ChangeIcontrue
IconPathC:\Users\DEKAn\Desktop\Icon2.ico
ClientTagBuilderProperty
ClientTagStandoff
DataFolderBuilderProperty
Path%appdata%\Zoom
DefaultPrivilegesBuilderProperty
RequireAdministratorRightstrue
DisableInstallationPromptBuilderProperty
IsDisabledtrue
FrameworkVersionBuilderProperty
FrameworkVersionNET48
HideFileBuilderProperty
HideFiletrue
InstallationLocationBuilderProperty
Path%programfiles%\Syncing metadata\Explorer.exe
InstallBuilderProperty
Installtrue
KeyloggerBuilderProperty
IsEnabledtrue
MutexBuilderProperty
Mutex578e841011a443d284fea21232fbf3a6
ProxyBuilderProperty
ProxyOptionNone
ProxyAddressnull
ProxyPort1080
ProxyType2
ReconnectDelayProperty
Delay10000
RequireAdministratorPrivilegesInstallerBuilderProperty
RequireAdministratorPrivilegestrue
RespawnTaskBuilderProperty
IsEnabledfalse
TaskNameOrcus Respawner
ServiceBuilderProperty
Installtrue
SetRunProgramAsAdminFlagBuilderProperty
SetFlagfalse
WatchdogBuilderProperty
IsEnabledtrue
NameNode S2-N.exe
WatchdogLocationAppData
PreventFileDeletiontrue
Plugins (0)
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:07 07:28:20+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 3144704
InitializedDataSize: 19968
UninitializedDataSize: -
EntryPoint: 0x301b0e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.2.19041.0
ProductVersionNumber: 10.0.19041.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: Проводник
FileVersion: 6.2.19041.0
InternalName: explorer
LegalCopyright: © Корпорация Майкрософт. Все права защищены.
LegalTrademarks: -
OriginalFileName: Orcus.exe
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 10.0.19041.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ORCUS 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe windowsinput.exe no specs windowsinput.exe no specs #ORCUS explorer.exe #ORCUS node s2-n.exe no specs svchost.exe node s2-n.exe no specs 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Users\admin\AppData\Roaming\Node S2-N.exe" /watchProcess "C:\Program Files\Syncing metadata\Explorer.exe" 5576 "/protectFile"C:\Users\admin\AppData\Roaming\Node S2-N.exeNode S2-N.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\node s2-n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1468"C:\Users\admin\Desktop\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe" C:\Users\admin\Desktop\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Проводник
Exit code:
0
Version:
6.2.19041.0
Modules
Images
c:\users\admin\desktop\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3608"C:\Users\admin\Desktop\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe" C:\Users\admin\Desktop\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Проводник
Exit code:
3221226540
Version:
6.2.19041.0
Modules
Images
c:\users\admin\desktop\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe
c:\windows\system32\ntdll.dll
3988"C:\WINDOWS\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exeservices.exe
User:
SYSTEM
Company:
Microsoft
Integrity Level:
SYSTEM
Description:
Windows Input
Version:
0.1.0
Modules
Images
c:\windows\syswow64\windowsinput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4128"C:\WINDOWS\SysWOW64\WindowsInput.exe" --installC:\Windows\SysWOW64\WindowsInput.exe72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Windows Input
Exit code:
0
Version:
0.1.0
Modules
Images
c:\windows\syswow64\windowsinput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5576"C:\Program Files\Syncing metadata\Explorer.exe" C:\Program Files\Syncing metadata\Explorer.exe
72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Проводник
Version:
6.2.19041.0
Modules
Images
c:\program files\syncing metadata\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Orcus
(PID) Process(5576) Explorer.exe
C2 (1)vimeworldserverstat.serveminecraft.net:3306
Keys
AESbc4ae1161e974bbd3edcbfb0a9c2e083dd2ec58477c0330681fec4333649a6af
Salt
Options
AutostartBuilderProperty
AutostartMethodTaskScheduler
TaskSchedulerTaskNameExplorer
TaskHighestPrivilegestrue
RegistryHiddenStarttrue
RegistryKeyNameOrcus
TryAllAutostartMethodsOnFailtrue
ChangeAssemblyInformationBuilderProperty
ChangeAssemblyInformationtrue
AssemblyTitleexplorer
AssemblyDescriptionПроводник
AssemblyCompanyNameMicrosoft Corporation
AssemblyProductNameОперационная система Microsoft® Windows®
AssemblyCopyright© Корпорация Майкрософт. Все права защищены.
AssemblyTrademarksnull
AssemblyProductVersion10.0.19041.0
AssemblyFileVersion6.2.19041.0
ChangeCreationDateBuilderProperty
IsEnabledfalse
NewCreationDate2024-12-07T17:49:14
ChangeIconBuilderProperty
ChangeIcontrue
IconPathC:\Users\DEKAn\Desktop\Icon2.ico
ClientTagBuilderProperty
ClientTagStandoff
DataFolderBuilderProperty
Path%appdata%\Zoom
DefaultPrivilegesBuilderProperty
RequireAdministratorRightstrue
DisableInstallationPromptBuilderProperty
IsDisabledtrue
FrameworkVersionBuilderProperty
FrameworkVersionNET48
HideFileBuilderProperty
HideFiletrue
InstallationLocationBuilderProperty
Path%programfiles%\Syncing metadata\Explorer.exe
InstallBuilderProperty
Installtrue
KeyloggerBuilderProperty
IsEnabledtrue
MutexBuilderProperty
Mutex578e841011a443d284fea21232fbf3a6
ProxyBuilderProperty
ProxyOptionNone
ProxyAddressnull
ProxyPort1080
ProxyType2
ReconnectDelayProperty
Delay10000
RequireAdministratorPrivilegesInstallerBuilderProperty
RequireAdministratorPrivilegestrue
RespawnTaskBuilderProperty
IsEnabledfalse
TaskNameOrcus Respawner
ServiceBuilderProperty
Installtrue
SetRunProgramAsAdminFlagBuilderProperty
SetFlagfalse
WatchdogBuilderProperty
IsEnabledtrue
NameNode S2-N.exe
WatchdogLocationAppData
PreventFileDeletiontrue
Plugins (0)
6096"C:\Users\admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 5576 /protectFileC:\Users\admin\AppData\Roaming\Node S2-N.exe
Explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
396
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\node s2-n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
6 903
Read events
6 901
Write events
2
Delete events
0

Modification events

(PID) Process:(4128) WindowsInput.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\WindowsInput
Operation:writeName:EventMessageFile
Value:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll
(PID) Process:(1468) 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
3
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
146872328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exeC:\Windows\SysWOW64\WindowsInput.exeexecutable
MD5:20E49432591AECA9939D49F7E31D0ED5
SHA256:7100036177C61BD0E5ECF14E70BB9803F75B2807B076974995DFA1175D2006C9
146872328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exeC:\Windows\SysWOW64\WindowsInput.exe.configxml
MD5:89817519E9E0B4E703F07E8C55247861
SHA256:F40DFAA50DCBFF93611D45607009158F798E9CD845170939B1D6088A7D10EE13
4128WindowsInput.exeC:\Windows\SysWOW64\WindowsInput.InstallStatexml
MD5:362CE475F5D1E84641BAD999C16727A0
SHA256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
146872328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exeC:\Program Files\Syncing metadata\Explorer.exe.configxml
MD5:89817519E9E0B4E703F07E8C55247861
SHA256:F40DFAA50DCBFF93611D45607009158F798E9CD845170939B1D6088A7D10EE13
5576Explorer.exeC:\Users\admin\AppData\Roaming\Node S2-N.exe.configxml
MD5:7EFA291047EB1202FDE7765ADAC4B00D
SHA256:807FB6EEAA7C77BF53831D8A4422A53A5D8CCD90E6BBC17C655C0817460407B6
146872328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exeC:\Program Files\Syncing metadata\Explorer.exeexecutable
MD5:595866CE3023AA7A94A221BCFF8BFE15
SHA256:72328A364B47DB12BAC7AA536CF3CB4C10C08712F762B8D85CE9307F45F2A7DC
5576Explorer.exeC:\Users\admin\AppData\Roaming\Node S2-N.exeexecutable
MD5:7796236D80B9E55F9571418E05A9578B
SHA256:02EA168CA6EB5B6211D7525ADA5E100323D41155620CA40A149038B61FDB6CC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4140
RUXIMICS.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4328
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4140
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4328
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4140
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4328
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4140
RUXIMICS.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4328
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4140
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
vimeworldserverstat.serveminecraft.net
  • 91.227.18.174
unknown
self.events.data.microsoft.com
  • 20.42.65.91
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc