File name:

Portable.zip

Full analysis: https://app.any.run/tasks/da9da0d2-e9f9-4e43-8d70-33a30672566b
Verdict: Malicious activity
Analysis date: July 06, 2024, 14:31:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

5576E488AF3954E6B01DEF638D58B9A3

SHA1:

1EE96C8F9B276827B23FFA0E7BC547D3F2B33CF2

SHA256:

7D60C94A8B47531540654E15E84DE8E0BE4686DCB7722096D5953104DCABD088

SSDEEP:

6144:zuVA/awIKeVf5jiXHDTUH7bP00pfwOfmNn9O7QI4gv1tS:zuixIKk5jiXjQ/P0Q4YmJ1dgv1tS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2516)
      • SynapseKiller.exe (PID: 5600)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4720)
      • powershell.exe (PID: 1296)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • SynapseKiller.exe (PID: 5600)
      • cmd.exe (PID: 6596)
      • SynapseEnabler.exe (PID: 240)
      • nircmd.exe (PID: 6936)
      • nircmd.exe (PID: 5624)
      • nircmd.exe (PID: 2052)
      • nircmd.exe (PID: 6432)
      • nircmd.exe (PID: 6544)
      • nircmd.exe (PID: 2272)
      • nircmd.exe (PID: 6520)
      • cmd.exe (PID: 1708)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3808)
      • cmd.exe (PID: 2252)

    • Reads the date of Windows installation

      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 240)

    • Reads security settings of Internet Explorer

      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 240)

    • Application launched itself

      • cmd.exe (PID: 6596)
      • cmd.exe (PID: 1708)

    • Starts CMD.EXE for commands execution

      • SynapseKiller.exe (PID: 5600)
      • cmd.exe (PID: 6596)
      • SynapseEnabler.exe (PID: 240)
      • nircmd.exe (PID: 6432)
      • nircmd.exe (PID: 6936)
      • nircmd.exe (PID: 5624)
      • nircmd.exe (PID: 2052)
      • nircmd.exe (PID: 2272)
      • nircmd.exe (PID: 6520)
      • nircmd.exe (PID: 6544)
      • cmd.exe (PID: 1708)

    • The process creates files with name similar to system file names

      • SynapseKiller.exe (PID: 5600)

    • Executable content was dropped or overwritten

      • SynapseKiller.exe (PID: 5600)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6596)
      • cmd.exe (PID: 1708)
      • cmd.exe (PID: 7160)
      • cmd.exe (PID: 6580)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 5812)
      • cmd.exe (PID: 6424)
      • cmd.exe (PID: 6304)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 2052)
      • nircmd.exe (PID: 6936)
      • nircmd.exe (PID: 5624)
      • nircmd.exe (PID: 6544)
      • nircmd.exe (PID: 6432)
      • nircmd.exe (PID: 2272)
      • nircmd.exe (PID: 6520)

    • Get information on the list of running processes

      • cmd.exe (PID: 6424)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 7160)
      • cmd.exe (PID: 5812)
      • cmd.exe (PID: 6580)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 3976)

  • INFO

    • Checks supported languages

      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 240)
      • nircmd.exe (PID: 2052)
      • nircmd.exe (PID: 6936)
      • nircmd.exe (PID: 5624)
      • nircmd.exe (PID: 6544)
      • nircmd.exe (PID: 6432)
      • nircmd.exe (PID: 6520)
      • nircmd.exe (PID: 2272)

    • Manual execution by a user

      • SynapseKiller.exe (PID: 2272)
      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 776)
      • SynapseEnabler.exe (PID: 240)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2516)

    • Create files in a temporary directory

      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 240)

    • Process checks computer location settings

      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 240)

    • Reads the computer name

      • SynapseKiller.exe (PID: 5600)
      • SynapseEnabler.exe (PID: 240)

    • NirSoft software is detected

      • nircmd.exe (PID: 2052)
      • nircmd.exe (PID: 6936)
      • nircmd.exe (PID: 5624)
      • nircmd.exe (PID: 6544)
      • nircmd.exe (PID: 6432)
      • nircmd.exe (PID: 2272)
      • nircmd.exe (PID: 6520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2022:05:31 00:56:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Portable/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
373
Monitored processes
234
Malicious processes
16
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs synapsekiller.exe no specs synapsekiller.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs timeout.exe no specs timeout.exe no specs synapseenabler.exe no specs synapseenabler.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs nircmd.exe no specs cmd.exe no specs nircmd.exe no specs cmd.exe no specs nircmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs cmd.exe no specs find.exe no specs tasklist.exe no specs conhost.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs find.exe no specs tasklist.exe no specs tasklist.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs find.exe no specs tasklist.exe no specs timeout.exe no specs timeout.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs powershell.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs timeout.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs timeout.exe no specs find.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs tasklist.exe no specs timeout.exe no specs timeout.exe no specs find.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs tasklist.exe no specs find.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\Downloads\Portable\SynapseEnabler.exe" C:\Users\admin\Downloads\Portable\SynapseEnabler.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\downloads\portable\synapseenabler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
452tasklist /NH /FI "IMAGENAME eq RazerCentralService.exe" C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
480TIMEOUT /T 1 /NOBREAK C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
564tasklist /NH /FI "IMAGENAME eq RazerCentralService.exe" C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
608tasklist /NH /FI "IMAGENAME eq Razer Synapse Service.exe" C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
776"C:\Users\admin\Downloads\Portable\SynapseEnabler.exe" C:\Users\admin\Downloads\Portable\SynapseEnabler.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\portable\synapseenabler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
992FIND /I "Razer Synapse Service.exe"C:\Windows\SysWOW64\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\find.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
992tasklist /NH /FI "IMAGENAME eq Razer Synapse 3.exe" C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1068FIND /I "GameManagerServiceStartup.exe"C:\Windows\SysWOW64\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\find.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1068TIMEOUT /T 1 /NOBREAK C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
32 180
Read events
32 154
Write events
26
Delete events
0

Modification events

(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Portable.zip
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2516) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Downloads
(PID) Process:(5600) SynapseKiller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
1
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
5600SynapseKiller.exeC:\Users\admin\AppData\Local\Temp\70FC.tmp\wait.battext
MD5:D9431234BDB4098B1791E62D574C2CE3
SHA256:99C59F712CD4B89BE7F498F7377EC986D4CE68D8545CA7DB555B8016FA86410A
2516WinRAR.exeC:\Users\admin\Downloads\Portable\SynapseKiller.exeexecutable
MD5:998FF76F537872561C30102953D5189A
SHA256:BE89C405543C927F9E4B1FD72C8F5DA1D19FD67EB53A8141BF50CC892F6ED5AA
4720powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hdcqfpti.jnm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2516WinRAR.exeC:\Users\admin\Downloads\Portable\SynapseEnabler.exeexecutable
MD5:5085A7746A700D25B74007826B37BD16
SHA256:8475B8B30CEDE684F61F339CA2EA13ED8910CC7265E6C75241D1252CCC07D7FC
4720powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b5lv5a5y.j3u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1296powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jepofjft.1bz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5600SynapseKiller.exeC:\Users\admin\AppData\Local\Temp\70FC.tmp\nircmdc.exeexecutable
MD5:0E69B6BD18E064C83A11B48495C1B01E
SHA256:67E0D635825CBF7CC213670F671544DA9FF18047742DD4A0696A508B79EEF607
4720powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:69ECD1DED0A84D2BEE0188D867CE9886
SHA256:7BE3E63642D7ED386B91F6372968B703680BFE145EE1CF0B793691BA4156703D
240SynapseEnabler.exeC:\Users\admin\AppData\Local\Temp\A1E0.tmp\notify.battext
MD5:F9531F7184A0CA9F5CB07D213F26325F
SHA256:BA7CD68C38DBABAB6E50ACD022C5000D81654C4C81B85532C673F62D688B74D0
5600SynapseKiller.exeC:\Users\admin\AppData\Local\Temp\70FC.tmp\notify.battext
MD5:F9531F7184A0CA9F5CB07D213F26325F
SHA256:BA7CD68C38DBABAB6E50ACD022C5000D81654C4C81B85532C673F62D688B74D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
63
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
376
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
376
svchost.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
3944
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6932
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
6976
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
6344
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6344
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
376
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4448
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5148
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
376
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
376
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
376
svchost.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
unknown
376
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.125.143
  • 95.101.149.131
whitelisted
www.bing.com
  • 184.86.251.30
  • 184.86.251.19
  • 184.86.251.27
  • 184.86.251.28
  • 184.86.251.21
  • 184.86.251.24
  • 184.86.251.25
  • 184.86.251.17
  • 184.86.251.22
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
arc.msn.com
  • 20.105.99.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Portable.zip