File name:

knr.exe

Full analysis: https://app.any.run/tasks/20c7bf38-e678-4304-bead-02cbaf91fbf8
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: March 30, 2025, 10:02:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netwire
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

CC28E40B46237AB6D5282199EF78C464

SHA1:

0D5C820002CF93384016BD4A2628DCC5101211F4

SHA256:

749E161661290E8A2D190B1A66469744127BC25BF46E5D0C6F2E835F4B92DB18

SSDEEP:

49152:HxZKeQAhGOzL0AreYOvAw0nH63BJZoo7IdjU/rVIiP80XfM6Y7B:CeQAhGOzJrGvAw0nHoBJZooP/rVIiPvG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • tng.exe (PID: 5064)

    • NETWIRE has been detected (YARA)

      • tng.exe (PID: 5064)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • knr.exe (PID: 6032)

    • There is functionality for taking screenshot (YARA)

      • tng.exe (PID: 5064)

    • Starts itself from another location

      • knr.exe (PID: 6032)

  • INFO

    • The sample compiled with english language support

      • knr.exe (PID: 6032)

    • Creates files or folders in the user directory

      • knr.exe (PID: 6032)

    • Checks supported languages

      • knr.exe (PID: 6032)
      • tng.exe (PID: 5064)

    • Reads the computer name

      • tng.exe (PID: 5064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NetWire

(PID) Process(5064) tng.exe
C2 (1)dunlop.hopto.org:2032
HostIdtng
Credentials
PasswordPassword
Options
MutexbmnxcvbT
Install path%AppData%\tng\tng.exe
Startup nametng
ProxyDirect connection
ActiveXFalse
Copy executableTrue
Delete originalFalse
Lock executableTrue
Registry autorunTrue
Use a mutexTrue
Offline keyloggerTrue
Sleep75
Keylogger directoryC:\Users\admin\AppData\Roaming\tgn\
Keys
RC4dec82a238d8eb6b16b59b98cf60ec8b3
Strings (222)%s\%s.exe
GetExtendedTcpTable
GetExtendedUdpTable
GetProcessImageFileNameA
GetProcessImageFileNameA
CONNECT %s:%d HTTP/1.0
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
[Backspace]
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Esc]
[Ctrl+%c]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozglue.dll
mozsqlite3.dll
nss3.dll
%s\nss3.dll
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\signons.sqlite
%s\logins.json
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
select * from moz_logins
hostname
encryptedUsername
encryptedPassword
hostname
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
%s\.purple\accounts.xml
<protocol>
<name>
<password>
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
crypt32.dll
CryptUnprotectData
advapi32.dll
CredEnumerateA
CredFree
crypt32.dll
CryptUnprotectData
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultGetItem
VaultFree
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
%s\Comodo\Dragon\User Data\Default\Login Data
%s\Yandex\YandexBrowser\User Data\Default\Login Data
%s\Opera Software\Opera Stable\Login Data
GetModuleFileNameExA
GetModuleFileNameExA
%s\system32\cmd.exe
advapi32.dll
GetUserNameA
USERNAME
GetNativeSystemInfo
kernel32.dll
SYSTEM\CurrentControlSet\Control\ProductOptions
ProductType
WINNT
LANMANNT
SERVERNT
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
softokn3.dll
nssdbm3.dll
msvcr100.dll
msvcp100.dll
msvcr120.dll
msvcp120.dll
api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-file-l2-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
ucrtbase.dll
vcruntime140.dll
msvcp140.dll
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.9)
.exe | Win64 Executable (generic) (15)
.exe | Win32 Executable (generic) (2.4)
.exe | Generic Win/DOS Executable (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:09:18 13:13:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 1196544
InitializedDataSize: 1226240
UninitializedDataSize: -
EntryPoint: 0x1010ae
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.96
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Samsung Electronics.
FileDescription: PleaseWaitWindow
FileVersion: 1, 0, 0, 96
InternalName: PleaseWaitWindow.exe
LegalCopyright: Copyright © 2014 SAMSUNG Electronics Co. Ltd. All rights reserved.
OriginalFileName: PleaseWaitWindow.exe
ProductName: Samsung Magician
ProductVersion: 1.0.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start knr.exe sppextcomobj.exe no specs slui.exe no specs #NETWIRE tng.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5064"C:\Users\admin\AppData\Roaming\tng\tng.exe"C:\Users\admin\AppData\Roaming\tng\tng.exe
knr.exe
User:
admin
Company:
Samsung Electronics.
Integrity Level:
MEDIUM
Description:
PleaseWaitWindow
Version:
1, 0, 0, 96
Modules
Images
c:\users\admin\appdata\roaming\tng\tng.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
NetWire
(PID) Process(5064) tng.exe
C2 (1)dunlop.hopto.org:2032
HostIdtng
Credentials
PasswordPassword
Options
MutexbmnxcvbT
Install path%AppData%\tng\tng.exe
Startup nametng
ProxyDirect connection
ActiveXFalse
Copy executableTrue
Delete originalFalse
Lock executableTrue
Registry autorunTrue
Use a mutexTrue
Offline keyloggerTrue
Sleep75
Keylogger directoryC:\Users\admin\AppData\Roaming\tgn\
Keys
RC4dec82a238d8eb6b16b59b98cf60ec8b3
Strings (222)%s\%s.exe
GetExtendedTcpTable
GetExtendedUdpTable
GetProcessImageFileNameA
GetProcessImageFileNameA
CONNECT %s:%d HTTP/1.0
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
[Backspace]
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Esc]
[Ctrl+%c]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozglue.dll
mozsqlite3.dll
nss3.dll
%s\nss3.dll
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\signons.sqlite
%s\logins.json
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
select * from moz_logins
hostname
encryptedUsername
encryptedPassword
hostname
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
%s\.purple\accounts.xml
<protocol>
<name>
<password>
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
crypt32.dll
CryptUnprotectData
advapi32.dll
CredEnumerateA
CredFree
crypt32.dll
CryptUnprotectData
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultGetItem
VaultFree
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
%s\Comodo\Dragon\User Data\Default\Login Data
%s\Yandex\YandexBrowser\User Data\Default\Login Data
%s\Opera Software\Opera Stable\Login Data
GetModuleFileNameExA
GetModuleFileNameExA
%s\system32\cmd.exe
advapi32.dll
GetUserNameA
USERNAME
GetNativeSystemInfo
kernel32.dll
SYSTEM\CurrentControlSet\Control\ProductOptions
ProductType
WINNT
LANMANNT
SERVERNT
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
softokn3.dll
nssdbm3.dll
msvcr100.dll
msvcp100.dll
msvcr120.dll
msvcp120.dll
api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-file-l2-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
ucrtbase.dll
vcruntime140.dll
msvcp140.dll
6032"C:\Users\admin\Downloads\knr.exe" C:\Users\admin\Downloads\knr.exe
explorer.exe
User:
admin
Company:
Samsung Electronics.
Integrity Level:
MEDIUM
Description:
PleaseWaitWindow
Exit code:
0
Version:
1, 0, 0, 96
Modules
Images
c:\users\admin\downloads\knr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7012"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
560
Read events
559
Write events
1
Delete events
0

Modification events

(PID) Process:(5064) tng.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:tng
Value:
C:\Users\admin\AppData\Roaming\tng\tng.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6032knr.exeC:\Users\admin\AppData\Roaming\tng\tng.exeexecutable
MD5:CC28E40B46237AB6D5282199EF78C464
SHA256:749E161661290E8A2D190B1A66469744127BC25BF46E5D0C6F2E835F4B92DB18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1184
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1184
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.172.255.218:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.159.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1184
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.25
  • 23.216.77.38
  • 23.216.77.20
  • 23.216.77.30
  • 23.216.77.19
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.172.255.218
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.130
  • 40.126.31.129
  • 20.190.159.2
  • 40.126.31.128
  • 20.190.159.0
  • 40.126.31.2
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
dunlop.hopto.org
malicious
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.hopto .org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
knr.exe