File name:

rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa

Full analysis: https://app.any.run/tasks/6b1049f3-f706-488c-8c4d-376a74e04394
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 05, 2025, 21:58:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AFD62F9F16918C40A5FB392CE298179F

SHA1:

2BA1EC5E2A6E67B9DE1051E9501A6C19FFF37415

SHA256:

83354F7B5EE916CDECB948DA2C02B1F76C3465CB341E50C5397805C16C6084FA

SSDEEP:

1536:hm/dx5JZHzek3h/0holIHRPgX+Oswnxl/ZmbOpYbj9UksjrLGD49WOgo10y:hedx5JZHb3h/0holIHWBnD/wSeXaj3LB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2508)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses AES cipher (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • XWORM has been detected (YARA)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Starts a Microsoft application from unusual location

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2508)

    • Reads security settings of Internet Explorer

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Identifying current user with WHOAMI command

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses base64 encoding (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets content of a file (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses sleep to delay execution (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Adds/modifies Windows certificates

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Connects to the server without a host name

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 432)
      • csc.exe (PID: 3620)

    • The process bypasses the loading of PowerShell profile settings

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Connects to unusual port

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • The process hides Powershell's copyright startup banner

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Starts POWERSHELL.EXE for commands execution

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

  • INFO

    • Reads the machine GUID from the registry

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • csc.exe (PID: 3620)

    • Reads the computer name

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Reads Environment values

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks supported languages

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • cvtres.exe (PID: 6724)
      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 6104)

    • Checks whether the specified file exists (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Create files in a temporary directory

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • cvtres.exe (PID: 6724)
      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 6104)

    • Reads the software policy settings

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • slui.exe (PID: 2648)

    • Creates files or folders in the user directory

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • powershell.exe (PID: 7016)

    • Disables trace logs

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks proxy server information

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • slui.exe (PID: 2648)

    • Gets data length (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (47.7)
.scr | Windows screen saver (22.6)
.dll | Win32 Dynamic Link Library (generic) (11.3)
.exe | Win32 Executable (generic) (7.7)
.exe | Win16/32 Executable Delphi generic (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:01 05:17:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 41472
InitializedDataSize: 18432
UninitializedDataSize: -
EntryPoint: 0xc10e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.6.5.2774
ProductVersionNumber: 3.6.5.2774
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 系统服务应用
CompanyName: Microsoft Corporation
FileDescription: Micrsoft@Windows
FileVersion: 3.6.5.2774
InternalName: sihost.exe
LegalCopyright: Micrsoft@Windows
LegalTrademarks: ™ 2025 Microsoft Corporation
OriginalFileName: sihost.exe
ProductName: Micrsoft@Windows
ProductVersion: 3.6.5.2774
AssemblyVersion: 3.6.5.2774
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XWORM rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe conhost.exe no specs whoami.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs slui.exe rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2508"C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe" C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Micrsoft@Windows
Exit code:
3221226540
Version:
3.6.5.2774
Modules
Images
c:\users\admin\desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
c:\windows\system32\ntdll.dll
2648C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2716"C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe" C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Micrsoft@Windows
Version:
3.6.5.2774
Modules
Images
c:\users\admin\desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3620"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\0tjl3gdy\0tjl3gdy.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES80D8.tmp" "c:\Users\admin\AppData\Local\Temp\0tjl3gdy\CSCA6DA225FA0E847A3ACFAED2C6D83689C.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6664"C:\WINDOWS\system32\whoami.exe"C:\Windows\System32\whoami.exerl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES803C.tmp" "c:\Users\admin\AppData\Local\Temp\3gy0oqli\CSC7260504DDD2C466084A527CEA4909AA0.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
21 464
Read events
21 442
Write events
18
Delete events
4

Modification events

(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Value:
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Operation:writeName:Blob
Value:
0400000001000000100000006D469ED9256D08235B5E747D1E27DBF2140000000100000014000000B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD09000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F00000001000000400000005CF58DC4429325FB69E9498383333ACBF76EDDFD5845BB9D29FDB935B2652C9184295565157A1D83335F9B67E3E2B67D6C01238CE81ADECBF3D75E98B3E99D79030000000100000014000000D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC309219000000010000001000000015B8B4807E45C1AE49FA34DAA40347E60B0000000100000038000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B00200043004100200032000000620000000100000020000000B676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B8041D000000010000001000000004321CCBC528A397F1620CB39DFC6D352000000001000000D6050000308205D2308203BAA003020102021021D6D04A4F250FC93237FCAA5E128DE9300D06092A864886F70D01010D0500308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B20434120323022180F32303131313030363038333935365A180F32303436313030363038333935365A308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B204341203230820222300D06092A864886F70D01010105000382020F003082020A0282020100BDF978F8E6D5800C649D861B9664673F223A1E75017DEFFB5C678CC9CC5C6BA991E6B942E5204B9BDA9B7BB9995DD99B804BD784402B27D3E8BA30BB3E091AA74995EF2B4024C297C7A7EE9B25EFA80A0097855AAA9DDC29C9E23507EB704D4AD6C1B356B8A141389BD1FB317F8FE05FE1B13F0F8E164960D7068D18F9AA2610AB2AD3D0D1678D1B46BE4730D52E72D1C563DAE76379447E4B632489862E343F294C528B2AA7C0E2912889B9C05BF91DD9E727ADFF9A0297C1C650929B022CBDA9B934590ABF844AFFDFFEB39FEBD99EE09823ECA66B77162ADBCCAD3B1CA487DC46735E1962684557E4908242BB42D6F061E0C1A33D66A35DF418EE88C98D1745299932750231EE2926C86B02E6B562457F37155A236889D43EDE4E27B0F0400CBC4D17CB4DA2B31ED0065ADDF693CF577599F5FA861A6778B3BF96FE34DCBDE75256E5B3E5757BD7419105DC5D69E3950D43B9FC839639957B6C805A4F1372C6D77D297A44BA52A42AD541460920FE22A0B65B308DBC890CD5D770F88752FDDAEFAC512E07B34EFED009DA70EF98FA56E66DDBB5574BDCE52C2515C89E2E784EF8DA9C9E862CCA57F31AE5C8928B1A82967AC3BC501269D80E5A468B3AEB26FA23C9B6B081BE4200A4F8D6FE302EC7D246F6E58E75FDF2CCB9D0875BCC061060BB8335B75E67DE47EC9948F1A4A115FEAD8C628E39554F3916B9B1639DFFB70203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E04160414B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD300E0603551D0F0101FF040403020106300D06092A864886F70D01010D0500038202010071A50ECEE4E9BF3F38D5895AC40261FB4CC514172D8B4F536B1017FC6584C7104990DEDBC7269388266F70D6025E39A0F78FAB96B5A5135C81146D0E8182111B8A4EC64FA5DD621E44DF0959F45B770B37E98B20C6F80A4E2E581CEB33D0CF8660C9DAFB802F9E4C6084783D2164D6FB411F180FE7C97571BDBD5CDE34873E41B00EF6B9D63F091396142FDE9A1D5AB956CE353AB05F704D5EE329F123287259B6ABC28C66261C772C2676358B28A769A0F93BF523DD851074C990035691E7AFBA47D412971122E3A249946CE7B7944BBA2DA4DA338B4CA644FF5A3CC61D64D8B531E4A63C7AA8570BDBED611ACBF1CE737763A4876F4C5138D6E45FC79FB6812AE4854879585E3BF8DB028267C139DBC3744B3D361EF9299388685BA8441921F0A7E8810D2CE89336B437B2CAB01B267A9A251F9A9A809E4B2A3FFBA39AFE733271C29EC672E18A6827F1E40FB4C44CA56193F89710072A3025A9B9C871B8EF68CC2D7EF5E07E0F82A86FB6BA6C834377CD8A9217A19E5B78163D45E23372DDE166CA99D3C9C526FD0D680446AEB6D99B8CBE19BEB1C6F219E35C02CA2CD86F4A07D9C935DA4075F2C4A7196F9E42109875E6958B60BCEDC512D78ACED5985C569603C5EE770635FFCFE4EE3F1361EEDBDA2D85F0CDAE9DB2180945C392A17217FC47B6A00B2CF1C4DE4368086A5F3BF07663FBCC062CA6C6E20EB5B9BE248F
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001D000000010000001000000004321CCBC528A397F1620CB39DFC6D35620000000100000020000000B676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B8040B0000000100000038000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410020003200000019000000010000001000000015B8B4807E45C1AE49FA34DAA40347E6030000000100000014000000D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC30920F00000001000000400000005CF58DC4429325FB69E9498383333ACBF76EDDFD5845BB9D29FDB935B2652C9184295565157A1D83335F9B67E3E2B67D6C01238CE81ADECBF3D75E98B3E99D7953000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301140000000100000014000000B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD0400000001000000100000006D469ED9256D08235B5E747D1E27DBF22000000001000000D6050000308205D2308203BAA003020102021021D6D04A4F250FC93237FCAA5E128DE9300D06092A864886F70D01010D0500308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B20434120323022180F32303131313030363038333935365A180F32303436313030363038333935365A308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B204341203230820222300D06092A864886F70D01010105000382020F003082020A0282020100BDF978F8E6D5800C649D861B9664673F223A1E75017DEFFB5C678CC9CC5C6BA991E6B942E5204B9BDA9B7BB9995DD99B804BD784402B27D3E8BA30BB3E091AA74995EF2B4024C297C7A7EE9B25EFA80A0097855AAA9DDC29C9E23507EB704D4AD6C1B356B8A141389BD1FB317F8FE05FE1B13F0F8E164960D7068D18F9AA2610AB2AD3D0D1678D1B46BE4730D52E72D1C563DAE76379447E4B632489862E343F294C528B2AA7C0E2912889B9C05BF91DD9E727ADFF9A0297C1C650929B022CBDA9B934590ABF844AFFDFFEB39FEBD99EE09823ECA66B77162ADBCCAD3B1CA487DC46735E1962684557E4908242BB42D6F061E0C1A33D66A35DF418EE88C98D1745299932750231EE2926C86B02E6B562457F37155A236889D43EDE4E27B0F0400CBC4D17CB4DA2B31ED0065ADDF693CF577599F5FA861A6778B3BF96FE34DCBDE75256E5B3E5757BD7419105DC5D69E3950D43B9FC839639957B6C805A4F1372C6D77D297A44BA52A42AD541460920FE22A0B65B308DBC890CD5D770F88752FDDAEFAC512E07B34EFED009DA70EF98FA56E66DDBB5574BDCE52C2515C89E2E784EF8DA9C9E862CCA57F31AE5C8928B1A82967AC3BC501269D80E5A468B3AEB26FA23C9B6B081BE4200A4F8D6FE302EC7D246F6E58E75FDF2CCB9D0875BCC061060BB8335B75E67DE47EC9948F1A4A115FEAD8C628E39554F3916B9B1639DFFB70203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E04160414B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD300E0603551D0F0101FF040403020106300D06092A864886F70D01010D0500038202010071A50ECEE4E9BF3F38D5895AC40261FB4CC514172D8B4F536B1017FC6584C7104990DEDBC7269388266F70D6025E39A0F78FAB96B5A5135C81146D0E8182111B8A4EC64FA5DD621E44DF0959F45B770B37E98B20C6F80A4E2E581CEB33D0CF8660C9DAFB802F9E4C6084783D2164D6FB411F180FE7C97571BDBD5CDE34873E41B00EF6B9D63F091396142FDE9A1D5AB956CE353AB05F704D5EE329F123287259B6ABC28C66261C772C2676358B28A769A0F93BF523DD851074C990035691E7AFBA47D412971122E3A249946CE7B7944BBA2DA4DA338B4CA644FF5A3CC61D64D8B531E4A63C7AA8570BDBED611ACBF1CE737763A4876F4C5138D6E45FC79FB6812AE4854879585E3BF8DB028267C139DBC3744B3D361EF9299388685BA8441921F0A7E8810D2CE89336B437B2CAB01B267A9A251F9A9A809E4B2A3FFBA39AFE733271C29EC672E18A6827F1E40FB4C44CA56193F89710072A3025A9B9C871B8EF68CC2D7EF5E07E0F82A86FB6BA6C834377CD8A9217A19E5B78163D45E23372DDE166CA99D3C9C526FD0D680446AEB6D99B8CBE19BEB1C6F219E35C02CA2CD86F4A07D9C935DA4075F2C4A7196F9E42109875E6958B60BCEDC512D78ACED5985C569603C5EE770635FFCFE4EE3F1361EEDBDA2D85F0CDAE9DB2180945C392A17217FC47B6A00B2CF1C4DE4368086A5F3BF07663FBCC062CA6C6E20EB5B9BE248F
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:07E032E020B72C3F192F0628A2593A19A70F069E
Value:
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
040000000100000010000000D5E98140C51869FC462C8975620FAA781400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F70B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B00200043004100000053000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF103000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E1900000001000000100000001F7E750B566B128AC0B8D6576D2A70A5090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703086200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E1D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2032000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2036200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703081900000001000000100000001F7E750B566B128AC0B8D6576D2A70A503000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410000001400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F7040000000100000010000000D5E98140C51869FC462C8975620FAA782000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
2
Suspicious files
13
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bcrucmxi.kqt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061binary
MD5:28C4BA14D30A22F15512F9F8D6D44494
SHA256:6C1B0F3C70E05F25901EA9BF5BDA798D71A1F91DE9FADA4FD6D1C412AA175E49
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tzaej4mn.o3a.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
432csc.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.outtext
MD5:889CD436DF62D5D9C9CC303D16EF585B
SHA256:7813DCCFDFF6A6173504861D69F22C30C57F7224FFF8D72409F146B0B2B98141
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.cmdlinetext
MD5:F5D0E18A39BBCA6CF75119438F778148
SHA256:6A5186F4C4BBBCBEABEB55D7A562A2C91E2E2D470B488A4F0995A9AEA2A65B78
6724cvtres.exeC:\Users\admin\AppData\Local\Temp\RES803C.tmpbinary
MD5:BEB721A91A381DFA372DE5C2F4748EE5
SHA256:873C5DF962B608E93A75B804EC28F352502DD7B5804CB7EC4D83CD9AD56D49F8
432csc.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\CSC7260504DDD2C466084A527CEA4909AA0.TMPbinary
MD5:DF86AC4A1FB4BE6CA2B06A3B27CE8255
SHA256:DB1FC5BFD26F39730D4DA6D214733F90F84D7B0BA148B47BC21D15AC2CABAF66
3620csc.exeC:\Users\admin\AppData\Local\Temp\0tjl3gdy\CSCA6DA225FA0E847A3ACFAED2C6D83689C.TMPbinary
MD5:F30E42868E9A5DA57FA41C1718BBD8D0
SHA256:E091674B51103996AAE3089B8CD3755905DB88194474A9D8F78A31A9765708DE
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\0tjl3gdy\0tjl3gdy.0.cstext
MD5:D9F117F4210876680D02927F17BE15CF
SHA256:8294CAA9889D008091DBD8A69AEF5D0123E87C0278A05556BC8E564DD1DD1E90
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\856FDBDDFEAC90A3D62D621EBF196637binary
MD5:F2DA7AF748219F144DD4A6C996A1CCD7
SHA256:2E7F23A5D23ADEEFB055CCC4F58969D71C086A5B32E7A751254CE5CAC6949A70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
28
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
2.21.239.9:80
http://crl.certum.pl/ctnca.crl
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQCZo4AKJlU7ZavcboSms%2Bo5
unknown
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
104.233.236.65:80
http://104.233.236.65/protected_sihost_20250701_131706.txt
unknown
unknown
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
2.21.239.21:80
http://ccsca2021.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRxypYNH69rICCzQBIRXN0YAFa3AAQU3XRdTADbe5%2BgdMqxbvc8wDLAcM0CEHrRX3%2B5xQH5vPxM6aWBNXs%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
756
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
subca.ocsp-certum.com
  • 95.101.111.168
  • 95.101.111.144
whitelisted
crl.certum.pl
  • 2.21.239.9
  • 2.21.239.23
whitelisted
ccsca2021.ocsp-certum.com
  • 2.21.239.21
  • 2.21.239.27
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

PID
Process
Class
Message
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa