File name:

77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe

Full analysis: https://app.any.run/tasks/a4c5c6f3-5d41-462a-a07e-6bf613ce0437
Verdict: Malicious activity
Analysis date: May 19, 2024, 23:21:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

EDBD177FFA5C557C6E26834EA49360A3

SHA1:

3401BA7AD23577DC64802BCD1240C409A628DE73

SHA256:

77999F52BAF21DFE47B5C8DEB379F09781C00113D2AEF7A1F0DB5132F6D8BE8A

SSDEEP:

98304:VplvRN7UzD82woxYkokBbda75zg6cqBLBGJ/GQ1RaORuAXGQAKccBqYKZdOmiNjI:pjXJ61MDtfmFsWuQk19jNFkkj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6460)
      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Creates a writable file in the system directory

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
      • winrdlv3.exe (PID: 4052)

    • Registers / Runs the DLL via REGSVR32.EXE

      • winrdlv3.exe (PID: 4052)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • The process creates files with name similar to system file names

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Executable content was dropped or overwritten

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Drops a system driver (possible attempt to evade defenses)

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Process drops legitimate windows executable

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • The process drops C-runtime libraries

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Starts CMD.EXE for commands execution

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6988)
      • cmd.exe (PID: 7120)

    • Reads security settings of Internet Explorer

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Reads the date of Windows installation

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Executes as Windows Service

      • winrdgv3.exe (PID: 6164)

    • Checks Windows Trust Settings

      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)

    • Connects to unusual port

      • winrdlv3.exe (PID: 4052)

    • Application launched itself

      • winrdlv3.exe (PID: 6148)

  • INFO

    • Checks supported languages

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
      • systecv3.exe (PID: 3640)
      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)
      • winrdlv3.exe (PID: 2448)
      • winrdlv3.exe (PID: 4052)
      • winrdgv3.exe (PID: 2252)

    • Create files in a temporary directory

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Creates files in the program directory

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Reads the computer name

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)
      • winrdgv3.exe (PID: 6164)
      • systecv3.exe (PID: 3640)
      • winrdlv3.exe (PID: 6148)
      • winrdlv3.exe (PID: 4052)
      • winrdgv3.exe (PID: 2252)

    • Process checks computer location settings

      • 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe (PID: 6776)

    • Checks Windows language

      • systecv3.exe (PID: 3640)
      • winrdlv3.exe (PID: 4052)

    • Reads the machine GUID from the registry

      • winrdgv3.exe (PID: 6164)
      • winrdlv3.exe (PID: 6148)

    • Reads the software policy settings

      • winrdlv3.exe (PID: 6148)
      • winrdgv3.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:07:24 22:17:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x348f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
17
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systecv3.exe no specs winrdgv3.exe no specs winrdlv3.exe no specs winrdlv3.exe winrdgv3.exe no specs winrdlv3.exe no specs regsvr32.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2252"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDEC:\Program Files (x86)\Common Files\System\winrdgv3.exe77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe
User:
admin
Company:
TEC Solutions Limited.
Integrity Level:
HIGH
Description:
WinRdgV3 APP
Exit code:
0
Version:
4, 73, 808, 0
Modules
Images
c:\program files (x86)\common files\system\winrdgv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2448"C:\WINDOWS\system32\winrdlv3.exe" SW_HIDEC:\Windows\SysWOW64\winrdlv3.exe77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe
User:
admin
Company:
TEC Solutions Limited.
Integrity Level:
HIGH
Description:
Winrdlv3
Exit code:
4294967295
Version:
4, 61, 112, 0
Modules
Images
c:\windows\syswow64\winrdlv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3640"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDEC:\Program Files (x86)\Common Files\System\systecv3.exe77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe
User:
admin
Company:
TEC Solutions Limited.
Integrity Level:
HIGH
Description:
systecv3
Exit code:
0
Version:
4, 73, 808, 0
Modules
Images
c:\program files (x86)\common files\system\systecv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4052C:\WINDOWS\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32C:\Windows\SysWOW64\winrdlv3.exe
winrdlv3.exe
User:
SYSTEM
Company:
TEC Solutions Limited.
Integrity Level:
SYSTEM
Description:
Winrdlv3
Version:
4, 61, 112, 0
Modules
Images
c:\windows\syswow64\winrdlv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winoav3.dll
c:\windows\syswow64\ws2_32.dll
5524C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5900C:\WINDOWS\system32\regsvr32.exe /s trmenushl64.dllC:\Windows\System32\regsvr32.exewinrdlv3.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6148C:\WINDOWS\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32C:\Windows\SysWOW64\winrdlv3.exewinrdgv3.exe
User:
SYSTEM
Company:
TEC Solutions Limited.
Integrity Level:
SYSTEM
Description:
Winrdlv3
Version:
4, 61, 112, 0
Modules
Images
c:\windows\syswow64\winrdlv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winwdgv3.dll
6164"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"C:\Program Files (x86)\Common Files\System\winrdgv3.exeservices.exe
User:
SYSTEM
Company:
TEC Solutions Limited.
Integrity Level:
SYSTEM
Description:
WinRdgV3 APP
Exit code:
1
Version:
4, 73, 808, 0
Modules
Images
c:\program files (x86)\common files\system\winrdgv3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6168netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\WINDOWS\system32\winrdlv3.exe"C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6460"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
46 799
Read events
44 699
Write events
1 934
Delete events
166

Modification events

(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6460) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6776) 77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3640) systecv3.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:delete valueName:PendingFileRenameOperations
Value:
(PID) Process:(4052) winrdlv3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TEC\Ocular.3\Agent\SGW
Operation:writeName:SGW_ENABLE
Value:
0
Executable files
22
Suspicious files
40
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
6460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5:
SHA256:
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\system32\winwdgv364.dllexecutable
MD5:889482A07BA13FC6E194A63D275A850A
SHA256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
6460powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_13wqizc4.gh3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\Users\admin\AppData\Local\Temp\nsu4DEF.tmp\nsProcess.dllexecutable
MD5:88D3E48D1C1A051C702D47046ADE7B4C
SHA256:51DA07DA18A5486B11E0D51EBFF77A3F2FCBB4D66B5665D212CC6BDA480C4257
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakrdlv3.sysexecutable
MD5:0CBEB75D3090054817EA4DF0773AFE35
SHA256:453E2290939078C070E46896B2D991F31D295BBC1C63059B10F3C24CAD7C4822
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakstec3.sysexecutable
MD5:B9E0A7CBD7FDB4D179172DBDD453495A
SHA256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakwdgv3.sysexecutable
MD5:0AED8F70A00060F8005EFA8D1C668B98
SHA256:326ABF1AF467670DE571252BFD8118B9EA0B8A3BABC10DF092FFFC2DA3E11671
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\LInstSvr.exeexecutable
MD5:FB741FCEEB80A76F7F0005A1AC60604A
SHA256:C8BD29C490368EBFC56DC5C951E24AF613F7E5B68A8493240F5EC1AFD9D4A9B1
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakwdgv364.sysexecutable
MD5:889482A07BA13FC6E194A63D275A850A
SHA256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
677677999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exeC:\WINDOWS\bakrdgv3.sysexecutable
MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
SHA256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4264
svchost.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4708
RUXIMICS.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4264
svchost.exe
GET
200
59.151.136.189:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4708
RUXIMICS.exe
GET
200
59.151.136.189:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
59.151.136.189:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
20.189.173.9:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4264
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4708
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4264
svchost.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
4708
RUXIMICS.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4264
svchost.exe
59.151.136.189:80
www.microsoft.com
AKAMAI-AS
US
unknown
4708
RUXIMICS.exe
59.151.136.189:80
www.microsoft.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.41.90
  • 23.53.41.88
whitelisted
www.microsoft.com
  • 59.151.136.189
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 52.182.143.211
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
77999f52baf21dfe47b5c8deb379f09781c00113d2aef7a1f0db5132f6d8be8a.exe