File name:

77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe

Full analysis: https://app.any.run/tasks/a4c5c6f3-5d41-462a-a07e-6bf613ce0437
Verdict: Malicious activity
Analysis date: May 19, 2024, 23:21:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

EDBD177FFA5C557C6E26834EA49360A3

SHA1:

3401BA7AD23577DC64802BCD1240C409A628DE73

SHA256:

77999F52BAF21DFE47B5C8DEB379F09781C00113D2AEF7A1F0DB5132F6D8BE8A

SSDEEP:

98304:VplvRN7UzD82woxYkokBbda75zg6cqBLBGJ/GQ1RaORuAXGQAKccBqYKZdOmiNjI:pjXJ61MDtfmFsWuQk19jNFkkj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6460)
      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Creates a writable file in the system directory

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
      • winrdlv3.exe (PID: 4052)

    • Registers / Runs the DLL via REGSVR32.EXE

      • winrdlv3.exe (PID: 4052)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • The process creates files with name similar to system file names

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Drops a system driver (possible attempt to evade defenses)

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Executable content was dropped or overwritten

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Process drops legitimate windows executable

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Starts CMD.EXE for commands execution

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • The process drops C-runtime libraries

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6988)
      • cmd.exe (PID: 7120)

    • Executes as Windows Service

      • winrdgv3.exe (PID: 6164)

    • Checks Windows Trust Settings

      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)

    • Reads security settings of Internet Explorer

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Reads the date of Windows installation

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Application launched itself

      • winrdlv3.exe (PID: 6148)

    • Connects to unusual port

      • winrdlv3.exe (PID: 4052)

  • INFO

    • Checks supported languages

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)
      • systecv3.exe (PID: 3640)
      • winrdgv3.exe (PID: 2252)
      • winrdlv3.exe (PID: 2448)
      • winrdlv3.exe (PID: 4052)

    • Creates files in the program directory

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Create files in a temporary directory

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Reads the computer name

      • systecv3.exe (PID: 3640)
      • winrdgv3.exe (PID: 6164)
      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
      • winrdlv3.exe (PID: 4052)
      • winrdlv3.exe (PID: 6148)
      • winrdgv3.exe (PID: 2252)

    • Checks Windows language

      • systecv3.exe (PID: 3640)
      • winrdlv3.exe (PID: 4052)

    • Reads the machine GUID from the registry

      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)

    • Reads the software policy settings

      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)

    • Process checks computer location settings

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:07:24 22:17:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x348f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
17
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systecv3.exe no specs winrdgv3.exe no specs winrdlv3.exe no specs winrdlv3.exe winrdgv3.exe no specs winrdlv3.exe no specs regsvr32.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2252"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDEC:\Program Files (x86)\Common Files\System\winrdgv3.exe77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe
User:
admin
Company:
TEC Solutions Limited.
Integrity Level:
HIGH
Description:
WinRdgV3 APP
Exit code:
0
Version:
4, 73, 808, 0
Modules
Images
c:\program files (x86)\common files\system\winrdgv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2448"C:\WINDOWS\system32\winrdlv3.exe" SW_HIDEC:\Windows\SysWOW64\winrdlv3.exe77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe
User:
admin
Company:
TEC Solutions Limited.
Integrity Level:
HIGH
Description:
Winrdlv3
Exit code:
4294967295
Version:
4, 61, 112, 0
Modules
Images
c:\windows\syswow64\winrdlv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3640"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDEC:\Program Files (x86)\Common Files\System\systecv3.exe77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe
User:
admin
Company:
TEC Solutions Limited.
Integrity Level:
HIGH
Description:
systecv3
Exit code:
0
Version:
4, 73, 808, 0
Modules
Images
c:\program files (x86)\common files\system\systecv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4052C:\WINDOWS\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32C:\Windows\SysWOW64\winrdlv3.exe
winrdlv3.exe
User:
SYSTEM
Company:
TEC Solutions Limited.
Integrity Level:
SYSTEM
Description:
Winrdlv3
Version:
4, 61, 112, 0
Modules
Images
c:\windows\syswow64\winrdlv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winoav3.dll
c:\windows\syswow64\ws2_32.dll
5524C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5900C:\WINDOWS\system32\regsvr32.exe /s trmenushl64.dllC:\Windows\System32\regsvr32.exewinrdlv3.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6148C:\WINDOWS\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32C:\Windows\SysWOW64\winrdlv3.exewinrdgv3.exe
User:
SYSTEM
Company:
TEC Solutions Limited.
Integrity Level:
SYSTEM
Description:
Winrdlv3
Version:
4, 61, 112, 0
Modules
Images
c:\windows\syswow64\winrdlv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winwdgv3.dll
6164"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"C:\Program Files (x86)\Common Files\System\winrdgv3.exeservices.exe
User:
SYSTEM
Company:
TEC Solutions Limited.
Integrity Level:
SYSTEM
Description:
WinRdgV3 APP
Exit code:
1
Version:
4, 73, 808, 0
Modules
Images
c:\program files (x86)\common files\system\winrdgv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6168netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\WINDOWS\system32\winrdlv3.exe"C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6460"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
46 799
Read events
44 699
Write events
1 934
Delete events
166

Modification events

(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3640) systecv3.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:delete valueName:PendingFileRenameOperations
Value:
(PID) Process:(4052) winrdlv3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TEC\Ocular.3\Agent\SGW
Operation:writeName:SGW_ENABLE
Value:
0
Executable files
22
Suspicious files
40
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
6460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5:
SHA256:
6460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B29VZTGOXFTBWC0K4O01.tempbinary
MD5:CF567A16E1A0DB21F80944A004D57E48
SHA256:B07E3A21A415C64BC6C30CB26FED1881F88AA7CE38981BCBFBF84A27E77E3C7C
6460powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:70FC0845108C06E43C8DDA9C0EF59E7B
SHA256:55F594118350AAEE0027EBE14762A2F5D263F49955228BEBC29BB58FF0926B98
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakoav3.sysexecutable
MD5:3AE42CB8A028C5BE3F57575342BBB56D
SHA256:0E0EFB65F52F8AE90F1227AAFDDB1BD23803229497FC82C5C458C8D6EB83A609
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakrdgv3.sysexecutable
MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
SHA256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
6460powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gc4x0vum.blp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6460powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_13wqizc4.gh3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\Users\admin\AppData\Local\Temp\nsu4DEF.tmp\nsProcess.dllexecutable
MD5:88D3E48D1C1A051C702D47046ADE7B4C
SHA256:51DA07DA18A5486B11E0D51EBFF77A3F2FCBB4D66B5665D212CC6BDA480C4257
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\Users\admin\AppData\Local\Temp\nsu4DEF.tmp\System.dllexecutable
MD5:6E55A6E7C3FDBD244042EB15CB1EC739
SHA256:ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\system32\winwdgv364.dllexecutable
MD5:889482A07BA13FC6E194A63D275A850A
SHA256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4708
RUXIMICS.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4264
svchost.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4264
svchost.exe
GET
200
59.151.136.189:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4708
RUXIMICS.exe
GET
200
59.151.136.189:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
59.151.136.189:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
20.189.173.9:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4264
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4708
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4264
svchost.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
4708
RUXIMICS.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4264
svchost.exe
59.151.136.189:80
www.microsoft.com
AKAMAI-AS
US
unknown
4708
RUXIMICS.exe
59.151.136.189:80
www.microsoft.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.41.90
  • 23.53.41.88
whitelisted
www.microsoft.com
  • 59.151.136.189
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 52.182.143.211
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe