File name:

rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa

Full analysis: https://app.any.run/tasks/6b1049f3-f706-488c-8c4d-376a74e04394
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 05, 2025, 21:58:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AFD62F9F16918C40A5FB392CE298179F

SHA1:

2BA1EC5E2A6E67B9DE1051E9501A6C19FFF37415

SHA256:

83354F7B5EE916CDECB948DA2C02B1F76C3465CB341E50C5397805C16C6084FA

SSDEEP:

1536:hm/dx5JZHzek3h/0holIHRPgX+Oswnxl/ZmbOpYbj9UksjrLGD49WOgo10y:hedx5JZHb3h/0holIHWBnD/wSeXaj3LB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2508)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses AES cipher (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • XWORM has been detected (YARA)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2508)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Process drops legitimate windows executable

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Identifying current user with WHOAMI command

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses base64 encoding (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets content of a file (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Reads security settings of Internet Explorer

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses sleep to delay execution (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Connects to the server without a host name

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3620)
      • csc.exe (PID: 432)

    • The process hides Powershell's copyright startup banner

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Adds/modifies Windows certificates

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Starts POWERSHELL.EXE for commands execution

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • The process bypasses the loading of PowerShell profile settings

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Connects to unusual port

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

  • INFO

    • Reads the computer name

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks supported languages

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • cvtres.exe (PID: 6724)
      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 6104)

    • Reads the machine GUID from the registry

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 3620)
      • csc.exe (PID: 432)

    • Reads Environment values

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks whether the specified file exists (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Create files in a temporary directory

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • cvtres.exe (PID: 6724)
      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 6104)

    • Reads the software policy settings

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • slui.exe (PID: 2648)

    • Creates files or folders in the user directory

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks proxy server information

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • slui.exe (PID: 2648)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • powershell.exe (PID: 7016)

    • Disables trace logs

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets data length (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (47.7)
.scr | Windows screen saver (22.6)
.dll | Win32 Dynamic Link Library (generic) (11.3)
.exe | Win32 Executable (generic) (7.7)
.exe | Win16/32 Executable Delphi generic (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:01 05:17:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 41472
InitializedDataSize: 18432
UninitializedDataSize: -
EntryPoint: 0xc10e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.6.5.2774
ProductVersionNumber: 3.6.5.2774
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 系统服务应用
CompanyName: Microsoft Corporation
FileDescription: Micrsoft@Windows
FileVersion: 3.6.5.2774
InternalName: sihost.exe
LegalCopyright: Micrsoft@Windows
LegalTrademarks: ™ 2025 Microsoft Corporation
OriginalFileName: sihost.exe
ProductName: Micrsoft@Windows
ProductVersion: 3.6.5.2774
AssemblyVersion: 3.6.5.2774
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XWORM rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe conhost.exe no specs whoami.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs slui.exe rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2508"C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe" C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Micrsoft@Windows
Exit code:
3221226540
Version:
3.6.5.2774
Modules
Images
c:\users\admin\desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
c:\windows\system32\ntdll.dll
2648C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2716"C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe" C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Micrsoft@Windows
Version:
3.6.5.2774
Modules
Images
c:\users\admin\desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3620"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\0tjl3gdy\0tjl3gdy.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES80D8.tmp" "c:\Users\admin\AppData\Local\Temp\0tjl3gdy\CSCA6DA225FA0E847A3ACFAED2C6D83689C.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6664"C:\WINDOWS\system32\whoami.exe"C:\Windows\System32\whoami.exerl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES803C.tmp" "c:\Users\admin\AppData\Local\Temp\3gy0oqli\CSC7260504DDD2C466084A527CEA4909AA0.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
21 464
Read events
21 442
Write events
18
Delete events
4

Modification events

(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Value:
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Operation:writeName:Blob
Value:
0400000001000000100000006D469ED9256D08235B5E747D1E27DBF2140000000100000014000000B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD09000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F00000001000000400000005CF58DC4429325FB69E9498383333ACBF76EDDFD5845BB9D29FDB935B2652C9184295565157A1D83335F9B67E3E2B67D6C01238CE81ADECBF3D75E98B3E99D79030000000100000014000000D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC309219000000010000001000000015B8B4807E45C1AE49FA34DAA40347E60B0000000100000038000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B00200043004100200032000000620000000100000020000000B676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B8041D000000010000001000000004321CCBC528A397F1620CB39DFC6D352000000001000000D6050000308205D2308203BAA003020102021021D6D04A4F250FC93237FCAA5E128DE9300D06092A864886F70D01010D0500308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B20434120323022180F32303131313030363038333935365A180F32303436313030363038333935365A308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B204341203230820222300D06092A864886F70D01010105000382020F003082020A0282020100BDF978F8E6D5800C649D861B9664673F223A1E75017DEFFB5C678CC9CC5C6BA991E6B942E5204B9BDA9B7BB9995DD99B804BD784402B27D3E8BA30BB3E091AA74995EF2B4024C297C7A7EE9B25EFA80A0097855AAA9DDC29C9E23507EB704D4AD6C1B356B8A141389BD1FB317F8FE05FE1B13F0F8E164960D7068D18F9AA2610AB2AD3D0D1678D1B46BE4730D52E72D1C563DAE76379447E4B632489862E343F294C528B2AA7C0E2912889B9C05BF91DD9E727ADFF9A0297C1C650929B022CBDA9B934590ABF844AFFDFFEB39FEBD99EE09823ECA66B77162ADBCCAD3B1CA487DC46735E1962684557E4908242BB42D6F061E0C1A33D66A35DF418EE88C98D1745299932750231EE2926C86B02E6B562457F37155A236889D43EDE4E27B0F0400CBC4D17CB4DA2B31ED0065ADDF693CF577599F5FA861A6778B3BF96FE34DCBDE75256E5B3E5757BD7419105DC5D69E3950D43B9FC839639957B6C805A4F1372C6D77D297A44BA52A42AD541460920FE22A0B65B308DBC890CD5D770F88752FDDAEFAC512E07B34EFED009DA70EF98FA56E66DDBB5574BDCE52C2515C89E2E784EF8DA9C9E862CCA57F31AE5C8928B1A82967AC3BC501269D80E5A468B3AEB26FA23C9B6B081BE4200A4F8D6FE302EC7D246F6E58E75FDF2CCB9D0875BCC061060BB8335B75E67DE47EC9948F1A4A115FEAD8C628E39554F3916B9B1639DFFB70203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E04160414B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD300E0603551D0F0101FF040403020106300D06092A864886F70D01010D0500038202010071A50ECEE4E9BF3F38D5895AC40261FB4CC514172D8B4F536B1017FC6584C7104990DEDBC7269388266F70D6025E39A0F78FAB96B5A5135C81146D0E8182111B8A4EC64FA5DD621E44DF0959F45B770B37E98B20C6F80A4E2E581CEB33D0CF8660C9DAFB802F9E4C6084783D2164D6FB411F180FE7C97571BDBD5CDE34873E41B00EF6B9D63F091396142FDE9A1D5AB956CE353AB05F704D5EE329F123287259B6ABC28C66261C772C2676358B28A769A0F93BF523DD851074C990035691E7AFBA47D412971122E3A249946CE7B7944BBA2DA4DA338B4CA644FF5A3CC61D64D8B531E4A63C7AA8570BDBED611ACBF1CE737763A4876F4C5138D6E45FC79FB6812AE4854879585E3BF8DB028267C139DBC3744B3D361EF9299388685BA8441921F0A7E8810D2CE89336B437B2CAB01B267A9A251F9A9A809E4B2A3FFBA39AFE733271C29EC672E18A6827F1E40FB4C44CA56193F89710072A3025A9B9C871B8EF68CC2D7EF5E07E0F82A86FB6BA6C834377CD8A9217A19E5B78163D45E23372DDE166CA99D3C9C526FD0D680446AEB6D99B8CBE19BEB1C6F219E35C02CA2CD86F4A07D9C935DA4075F2C4A7196F9E42109875E6958B60BCEDC512D78ACED5985C569603C5EE770635FFCFE4EE3F1361EEDBDA2D85F0CDAE9DB2180945C392A17217FC47B6A00B2CF1C4DE4368086A5F3BF07663FBCC062CA6C6E20EB5B9BE248F
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001D000000010000001000000004321CCBC528A397F1620CB39DFC6D35620000000100000020000000B676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B8040B0000000100000038000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410020003200000019000000010000001000000015B8B4807E45C1AE49FA34DAA40347E6030000000100000014000000D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC30920F00000001000000400000005CF58DC4429325FB69E9498383333ACBF76EDDFD5845BB9D29FDB935B2652C9184295565157A1D83335F9B67E3E2B67D6C01238CE81ADECBF3D75E98B3E99D7953000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301140000000100000014000000B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD0400000001000000100000006D469ED9256D08235B5E747D1E27DBF22000000001000000D6050000308205D2308203BAA003020102021021D6D04A4F250FC93237FCAA5E128DE9300D06092A864886F70D01010D0500308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B20434120323022180F32303131313030363038333935365A180F32303436313030363038333935365A308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B204341203230820222300D06092A864886F70D01010105000382020F003082020A0282020100BDF978F8E6D5800C649D861B9664673F223A1E75017DEFFB5C678CC9CC5C6BA991E6B942E5204B9BDA9B7BB9995DD99B804BD784402B27D3E8BA30BB3E091AA74995EF2B4024C297C7A7EE9B25EFA80A0097855AAA9DDC29C9E23507EB704D4AD6C1B356B8A141389BD1FB317F8FE05FE1B13F0F8E164960D7068D18F9AA2610AB2AD3D0D1678D1B46BE4730D52E72D1C563DAE76379447E4B632489862E343F294C528B2AA7C0E2912889B9C05BF91DD9E727ADFF9A0297C1C650929B022CBDA9B934590ABF844AFFDFFEB39FEBD99EE09823ECA66B77162ADBCCAD3B1CA487DC46735E1962684557E4908242BB42D6F061E0C1A33D66A35DF418EE88C98D1745299932750231EE2926C86B02E6B562457F37155A236889D43EDE4E27B0F0400CBC4D17CB4DA2B31ED0065ADDF693CF577599F5FA861A6778B3BF96FE34DCBDE75256E5B3E5757BD7419105DC5D69E3950D43B9FC839639957B6C805A4F1372C6D77D297A44BA52A42AD541460920FE22A0B65B308DBC890CD5D770F88752FDDAEFAC512E07B34EFED009DA70EF98FA56E66DDBB5574BDCE52C2515C89E2E784EF8DA9C9E862CCA57F31AE5C8928B1A82967AC3BC501269D80E5A468B3AEB26FA23C9B6B081BE4200A4F8D6FE302EC7D246F6E58E75FDF2CCB9D0875BCC061060BB8335B75E67DE47EC9948F1A4A115FEAD8C628E39554F3916B9B1639DFFB70203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E04160414B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD300E0603551D0F0101FF040403020106300D06092A864886F70D01010D0500038202010071A50ECEE4E9BF3F38D5895AC40261FB4CC514172D8B4F536B1017FC6584C7104990DEDBC7269388266F70D6025E39A0F78FAB96B5A5135C81146D0E8182111B8A4EC64FA5DD621E44DF0959F45B770B37E98B20C6F80A4E2E581CEB33D0CF8660C9DAFB802F9E4C6084783D2164D6FB411F180FE7C97571BDBD5CDE34873E41B00EF6B9D63F091396142FDE9A1D5AB956CE353AB05F704D5EE329F123287259B6ABC28C66261C772C2676358B28A769A0F93BF523DD851074C990035691E7AFBA47D412971122E3A249946CE7B7944BBA2DA4DA338B4CA644FF5A3CC61D64D8B531E4A63C7AA8570BDBED611ACBF1CE737763A4876F4C5138D6E45FC79FB6812AE4854879585E3BF8DB028267C139DBC3744B3D361EF9299388685BA8441921F0A7E8810D2CE89336B437B2CAB01B267A9A251F9A9A809E4B2A3FFBA39AFE733271C29EC672E18A6827F1E40FB4C44CA56193F89710072A3025A9B9C871B8EF68CC2D7EF5E07E0F82A86FB6BA6C834377CD8A9217A19E5B78163D45E23372DDE166CA99D3C9C526FD0D680446AEB6D99B8CBE19BEB1C6F219E35C02CA2CD86F4A07D9C935DA4075F2C4A7196F9E42109875E6958B60BCEDC512D78ACED5985C569603C5EE770635FFCFE4EE3F1361EEDBDA2D85F0CDAE9DB2180945C392A17217FC47B6A00B2CF1C4DE4368086A5F3BF07663FBCC062CA6C6E20EB5B9BE248F
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:07E032E020B72C3F192F0628A2593A19A70F069E
Value:
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
040000000100000010000000D5E98140C51869FC462C8975620FAA781400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F70B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B00200043004100000053000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF103000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E1900000001000000100000001F7E750B566B128AC0B8D6576D2A70A5090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703086200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E1D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2032000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2036200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703081900000001000000100000001F7E750B566B128AC0B8D6576D2A70A503000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410000001400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F7040000000100000010000000D5E98140C51869FC462C8975620FAA782000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
2
Suspicious files
13
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_B1FC795F78C340242DA37AB2EDA86AEDbinary
MD5:39E006C5B03614465A0F03856E34A6D1
SHA256:F767910A0E717F58ACB004100170653292D473DF8892C9C96E118CDFEC35E24A
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.cmdlinetext
MD5:F5D0E18A39BBCA6CF75119438F778148
SHA256:6A5186F4C4BBBCBEABEB55D7A562A2C91E2E2D470B488A4F0995A9AEA2A65B78
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\856FDBDDFEAC90A3D62D621EBF196637binary
MD5:E4AF6DEBFB86571BCBFBCEE68DABA556
SHA256:13943EB10C5A474E425C87DF08683D23444349344F48F66D2AC12768D28C93B4
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061binary
MD5:28C4BA14D30A22F15512F9F8D6D44494
SHA256:6C1B0F3C70E05F25901EA9BF5BDA798D71A1F91DE9FADA4FD6D1C412AA175E49
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\856FDBDDFEAC90A3D62D621EBF196637binary
MD5:F2DA7AF748219F144DD4A6C996A1CCD7
SHA256:2E7F23A5D23ADEEFB055CCC4F58969D71C086A5B32E7A751254CE5CAC6949A70
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\path_info.txttext
MD5:EC8A8684403767FA605CB01CCA69954D
SHA256:A09EB447C1BC1B279F823BF90487BAF8BF44A4F386D20754025749F9F197EF17
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.0.cstext
MD5:EDBD145343899CE0DC821021604EFE49
SHA256:3DD1EFC14F57F0504DACA0B0D1A826F72F3FF1AE6B3356F367D4CC7C129062E8
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4binary
MD5:CAD18364ECD4625CF91E95C6525CC1D4
SHA256:D276EFA69EA025E1613761A41A4B7A07399DE8FA63172FB1BCB58AB3279EEB7C
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061binary
MD5:38DE3ABBE753D72C68914D88CEF8C793
SHA256:53B098F2D75A2F09318D49465F4E0A93340E5CC387F0E43076D08163D59A047D
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_B1FC795F78C340242DA37AB2EDA86AEDbinary
MD5:73BF29B6EB8E818E10F607CCD853965B
SHA256:831D94A56B7D1B3D81199B9C5541D460DBF14CC8B3803A3B2FCE78D5EB8F00CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
28
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQCZo4AKJlU7ZavcboSms%2Bo5
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
2.21.239.9:80
http://crl.certum.pl/ctnca.crl
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
104.233.236.65:80
http://104.233.236.65/protected_sihost_20250701_131706.txt
unknown
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
2.21.239.21:80
http://ccsca2021.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRxypYNH69rICCzQBIRXN0YAFa3AAQU3XRdTADbe5%2BgdMqxbvc8wDLAcM0CEHrRX3%2B5xQH5vPxM6aWBNXs%3D
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
756
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
subca.ocsp-certum.com
  • 95.101.111.168
  • 95.101.111.144
whitelisted
crl.certum.pl
  • 2.21.239.9
  • 2.21.239.23
whitelisted
ccsca2021.ocsp-certum.com
  • 2.21.239.21
  • 2.21.239.27
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa