File name:

IMServer.exe

Full analysis: https://app.any.run/tasks/799295a3-7288-4c29-bb70-4acd27c89c44
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 01, 2025, 13:19:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
imminent
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

DEA57C3D0759C690D3EDDBF53EB9731D

SHA1:

550E7132250BB72CBD5D4289AFE82D1B933C96E5

SHA256:

7BFFDCC12A83ABABAC5F8ADE5E706BA4836D567459FDBE5B99C3E8B669B74DD1

SSDEEP:

6144:lMati8vnmk9YbiTg03gJvq2m/TQ2wITrqmJ4yEXX:N1nmkK03QaKFX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for self-deleting

      • IMServer.exe (PID: 6388)

    • Imminent RAT is detected

      • imserver.exe (PID: 6624)

    • Changes the autorun value in the registry

      • imserver.exe (PID: 6624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • IMServer.exe (PID: 6388)
      • imserver.exe (PID: 6624)

    • Reads security settings of Internet Explorer

      • IMServer.exe (PID: 6388)
      • imserver.exe (PID: 6624)

    • Hides command output

      • cmd.exe (PID: 6652)

    • Starts CMD.EXE for commands execution

      • IMServer.exe (PID: 6388)

    • Starts itself from another location

      • IMServer.exe (PID: 6388)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6652)

    • Connects to unusual port

      • imserver.exe (PID: 6624)

    • Write to the desktop.ini file (may be used to cloak folders)

      • imserver.exe (PID: 6624)

  • INFO

    • The process uses the downloaded file

      • IMServer.exe (PID: 6388)
      • imserver.exe (PID: 6624)

    • Create files in a temporary directory

      • IMServer.exe (PID: 6388)

    • Checks supported languages

      • IMServer.exe (PID: 6388)
      • imserver.exe (PID: 6624)

    • Reads the computer name

      • IMServer.exe (PID: 6388)
      • imserver.exe (PID: 6624)

    • Process checks computer location settings

      • IMServer.exe (PID: 6388)
      • imserver.exe (PID: 6624)

    • Creates files or folders in the user directory

      • imserver.exe (PID: 6624)
      • Taskmgr.exe (PID: 6956)

    • Reads the machine GUID from the registry

      • imserver.exe (PID: 6624)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 6956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:26 13:42:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 360448
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x59ede
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Description
CompanyName: Microsoft
FileDescription: Client
FileVersion: 1.0.0.0
InternalName: 3.exe
LegalCopyright: Copyright © Microsoft 2013
OriginalFileName: 3.exe
ProductName: ClientProduct
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start imserver.exe #IMMINENT imserver.exe cmd.exe no specs conhost.exe no specs ping.exe no specs taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
6388"C:\Users\admin\AppData\Local\Temp\IMServer.exe" C:\Users\admin\AppData\Local\Temp\IMServer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\imserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6624"C:\Users\admin\AppData\Local\Temp\imserver\imserver.exe" C:\Users\admin\AppData\Local\Temp\imserver\imserver.exe
IMServer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Client
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\imserver\imserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6652"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\admin\AppData\Local\Temp\IMServer.exe"C:\Windows\SysWOW64\cmd.exeIMServer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6760ping 1.1.1.1 -n 1 -w 1000 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6804"C:\Windows\System32\Taskmgr.exe" C:\Windows\SysWOW64\Taskmgr.exeimserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6956"C:\WINDOWS\SysWOW64\Taskmgr.exe" C:\Windows\SysWOW64\Taskmgr.exe
imserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
Total events
3 580
Read events
3 538
Write events
41
Delete events
1

Modification events

(PID) Process:(6624) imserver.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Default Key
Value:
C:\Users\admin\AppData\Local\Default Folder\Server.exe
(PID) Process:(6624) imserver.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Default Key
Value:
\Default Folder\Server.exe
(PID) Process:(6956) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000009C0000009C0000001702000010020000010000000000008000000080D8010080DF010080000100010000008000000080A802008058020080E803000000000000000000000F00000001000000A4DEF7000000000000000000EA000000000000008990000000000000FF000000010150020D000000E0DEF70000000000FFFFFFFF96000000000000008B90000001000000000000000010100103000000F4DEF70000000000FFFFFFFF78000000000000008C900000020000000000000001021200040000000CDFF70000000000FFFFFFFF96000000000000008D900000030000000000000000011001020000002CDFF70000000000FFFFFFFF32000000000000008A9000000400000000000000000820010500000040DFF70000000000FFFFFFFFC8000000000000008E9000000500000000000000000110010600000064DFF70000000000FFFFFFFF04010000000000008F9000000600000000000000000110010700000088DFF70000000000FFFFFFFF49000000490000009090000007000000000000000004250008000000C8DEF70000000000FFFFFFFF49000000490000009190000008000000000000000004250009000000A8DFF70000000000FFFFFFFF4900000049000000929000000900000000000000000425080A000000BCDFF70000000000FFFFFFFF4900000049000000939000000A00000000000000000425080B000000D8DFF70000000000FFFFFFFF490000004900000039A000000B00000000000000000425091C000000F8DFF70000000000FFFFFFFFC8000000000000003AA000000C00000000000000000110091D00000020E0F70000000000FFFFFFFF64000000000000004CA000000D00000000000000000215081E00000040E0F70000000000FFFFFFFF64000000000000004DA000000E0000000000000000021508030000000A00000001000000A4DEF7000000000000000000D7000000000000008990000000000000FF00000001015002040000000CDFF700000000000100000096000000000000008D90000001000000000000000101100003000000F4DEF70000000000FFFFFFFF64000000000000008C9000000200000000000000000210000C0000006CE0F70000000000030000006400000000000000949000000300000000000000010210000D00000094E0F70000000000FFFFFFFF6400000000000000959000000400000000000000000110010E000000B8E0F70000000000050000003200000000000000969000000500000000000000010420010F000000E0E0F70000000000060000003200000000000000979000000600000000000000010420011000000000E1F70000000000070000004600000000000000989000000700000000000000010110011100000020E1F70000000000FFFFFFFF6400000000000000999000000800000000000000000110010600000064DFF700000000000900000004010000000000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B00000001000000A4DEF7000000000000000000D7000000000000009E90000000000000FF000000010150021200000044E1F70000000000FFFFFFFF2D000000000000009B9000000100000000000000000420011400000064E1F70000000000FFFFFFFF64000000000000009D9000000200000000000000000110011300000088E1F70000000000FFFFFFFF64000000000000009C90000003000000000000000001100103000000F4DEF70000000000FFFFFFFF64000000000000008C9000000400000000000000010210000700000088DFF700000000000500000049000000490000009090000005000000000000000104210008000000C8DEF700000000000600000049000000490000009190000006000000000000000104210009000000A8DFF70000000000070000004900000049000000929000000700000000000000010421080A000000BCDFF70000000000080000004900000049000000939000000800000000000000010421080B000000D8DFF7000000000009000000490000004900000039A000000900000000000000010421091C000000F8DFF700000000000A00000064000000000000003AA000000A000000000000000001100900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000800000001000000A4DEF7000000000000000000C600000000000000B090000000000000FF0000000101500215000000A8E1F70000000000FFFFFFFF6B00000000000000B190000001000000000000000004250016000000D4E1F70000000000FFFFFFFF6B00000000000000B290000002000000000000000004250018000000F8E1F70000000000FFFFFFFF6B00000000000000B49000000300000000000000000425001700000020E2F70000000000FFFFFFFF6B00000000000000B39000000400000000000000000425001900000054E2F70000000000FFFFFFFFA000000000000000B59000000500000000000000000420011A00000080E2F70000000000FFFFFFFF7D00000000000000B69000000600000000000000000420011B000000B0E2F70000000000FFFFFFFF7D00000000000000B79000000700000000000000000420010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000006400000064000000320000005000000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000050000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000640000003200000078000000500000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000010000000000
(PID) Process:(6956) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
Executable files
3
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6624imserver.exeC:\Users\admin\AppData\Roaming\Imminent\Path.datbinary
MD5:86FB401493C9C2EB7659DE700108063A
SHA256:36A94BA8623934869FB6E741888F94B2766FFBF37E20BFFA516600C2E29D3927
6624imserver.exeC:\Default Folder\Server.exeexecutable
MD5:DEA57C3D0759C690D3EDDBF53EB9731D
SHA256:7BFFDCC12A83ABABAC5F8ADE5E706BA4836D567459FDBE5B99C3E8B669B74DD1
6956Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\e313ddc235b088d6\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valbinary
MD5:AEA4F521B527615E27F4718F4D58ADD1
SHA256:280C7D47E5CAD7D6208B6572F17E0099AB15E2C1DD1E824C9DBA87E279AA2C53
6624imserver.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\assembly\Desktop.inibinary
MD5:F7F759A5CD40BC52172E83486B6DE404
SHA256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
6956Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\e313ddc235b088d6\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
6956Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\e313ddc235b088d6\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxbinary
MD5:09C22002C807370C27681FBB1E76D387
SHA256:09D981C774EE5623A9439AE02458477937C011552F2E01C1BF48D75100E689BB
6624imserver.exeC:\Users\admin\AppData\Roaming\Imminent\Logs\01-01-2025text
MD5:33BE604F8044D5984E8E3E3B694D710A
SHA256:3F785F1CC535B0987139623200C7910B2B28F92DFE3309E8E071C091D0CE7313
6624imserver.exeC:\Users\admin\AppData\Local\Default Folder\Server.exeexecutable
MD5:DEA57C3D0759C690D3EDDBF53EB9731D
SHA256:7BFFDCC12A83ABABAC5F8ADE5E706BA4836D567459FDBE5B99C3E8B669B74DD1
6388IMServer.exeC:\Users\admin\AppData\Local\Temp\imserver\imserver.exeexecutable
MD5:DEA57C3D0759C690D3EDDBF53EB9731D
SHA256:7BFFDCC12A83ABABAC5F8ADE5E706BA4836D567459FDBE5B99C3E8B669B74DD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3208
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3208
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.20.245.138:80
crl.microsoft.com
Akamai International B.V.
SE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6624
imserver.exe
109.111.167.229:1337
Sibirskie Seti Ltd.
RU
malicious
1176
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.20.245.138
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.146
  • 104.126.37.123
  • 104.126.37.168
  • 104.126.37.162
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.144
  • 104.126.37.178
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IMServer.exe