File name:

rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa

Full analysis: https://app.any.run/tasks/6b1049f3-f706-488c-8c4d-376a74e04394
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 05, 2025, 21:58:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AFD62F9F16918C40A5FB392CE298179F

SHA1:

2BA1EC5E2A6E67B9DE1051E9501A6C19FFF37415

SHA256:

83354F7B5EE916CDECB948DA2C02B1F76C3465CB341E50C5397805C16C6084FA

SSDEEP:

1536:hm/dx5JZHzek3h/0holIHRPgX+Oswnxl/ZmbOpYbj9UksjrLGD49WOgo10y:hedx5JZHb3h/0holIHWBnD/wSeXaj3LB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses AES cipher (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Executing a file with an untrusted certificate

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2508)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • XWORM has been detected (YARA)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2508)

    • Process drops legitimate windows executable

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets content of a file (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses sleep to delay execution (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Adds/modifies Windows certificates

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Connects to the server without a host name

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Uses base64 encoding (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Reads security settings of Internet Explorer

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 432)
      • csc.exe (PID: 3620)

    • Starts POWERSHELL.EXE for commands execution

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • The process hides Powershell's copyright startup banner

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • The process bypasses the loading of PowerShell profile settings

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Connects to unusual port

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Identifying current user with WHOAMI command

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

  • INFO

    • Reads the computer name

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Reads Environment values

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks whether the specified file exists (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Reads the machine GUID from the registry

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • csc.exe (PID: 3620)

    • Create files in a temporary directory

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • csc.exe (PID: 432)
      • cvtres.exe (PID: 6724)
      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 6104)

    • Creates files or folders in the user directory

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks proxy server information

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • slui.exe (PID: 2648)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • powershell.exe (PID: 7016)

    • Disables trace logs

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Gets data length (POWERSHELL)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)

    • Checks supported languages

      • csc.exe (PID: 432)
      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • cvtres.exe (PID: 6724)
      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 6104)

    • Reads the software policy settings

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
      • slui.exe (PID: 2648)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (47.7)
.scr | Windows screen saver (22.6)
.dll | Win32 Dynamic Link Library (generic) (11.3)
.exe | Win32 Executable (generic) (7.7)
.exe | Win16/32 Executable Delphi generic (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:01 05:17:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 41472
InitializedDataSize: 18432
UninitializedDataSize: -
EntryPoint: 0xc10e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.6.5.2774
ProductVersionNumber: 3.6.5.2774
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 系统服务应用
CompanyName: Microsoft Corporation
FileDescription: Micrsoft@Windows
FileVersion: 3.6.5.2774
InternalName: sihost.exe
LegalCopyright: Micrsoft@Windows
LegalTrademarks: ™ 2025 Microsoft Corporation
OriginalFileName: sihost.exe
ProductName: Micrsoft@Windows
ProductVersion: 3.6.5.2774
AssemblyVersion: 3.6.5.2774
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XWORM rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe conhost.exe no specs whoami.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs slui.exe rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2508"C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe" C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Micrsoft@Windows
Exit code:
3221226540
Version:
3.6.5.2774
Modules
Images
c:\users\admin\desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
c:\windows\system32\ntdll.dll
2648C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2716"C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe" C:\Users\admin\Desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Micrsoft@Windows
Version:
3.6.5.2774
Modules
Images
c:\users\admin\desktop\rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3620"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\0tjl3gdy\0tjl3gdy.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES80D8.tmp" "c:\Users\admin\AppData\Local\Temp\0tjl3gdy\CSCA6DA225FA0E847A3ACFAED2C6D83689C.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6664"C:\WINDOWS\system32\whoami.exe"C:\Windows\System32\whoami.exerl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES803C.tmp" "c:\Users\admin\AppData\Local\Temp\3gy0oqli\CSC7260504DDD2C466084A527CEA4909AA0.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
21 464
Read events
21 442
Write events
18
Delete events
4

Modification events

(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Value:
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Operation:writeName:Blob
Value:
0400000001000000100000006D469ED9256D08235B5E747D1E27DBF2140000000100000014000000B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD09000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F00000001000000400000005CF58DC4429325FB69E9498383333ACBF76EDDFD5845BB9D29FDB935B2652C9184295565157A1D83335F9B67E3E2B67D6C01238CE81ADECBF3D75E98B3E99D79030000000100000014000000D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC309219000000010000001000000015B8B4807E45C1AE49FA34DAA40347E60B0000000100000038000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B00200043004100200032000000620000000100000020000000B676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B8041D000000010000001000000004321CCBC528A397F1620CB39DFC6D352000000001000000D6050000308205D2308203BAA003020102021021D6D04A4F250FC93237FCAA5E128DE9300D06092A864886F70D01010D0500308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B20434120323022180F32303131313030363038333935365A180F32303436313030363038333935365A308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B204341203230820222300D06092A864886F70D01010105000382020F003082020A0282020100BDF978F8E6D5800C649D861B9664673F223A1E75017DEFFB5C678CC9CC5C6BA991E6B942E5204B9BDA9B7BB9995DD99B804BD784402B27D3E8BA30BB3E091AA74995EF2B4024C297C7A7EE9B25EFA80A0097855AAA9DDC29C9E23507EB704D4AD6C1B356B8A141389BD1FB317F8FE05FE1B13F0F8E164960D7068D18F9AA2610AB2AD3D0D1678D1B46BE4730D52E72D1C563DAE76379447E4B632489862E343F294C528B2AA7C0E2912889B9C05BF91DD9E727ADFF9A0297C1C650929B022CBDA9B934590ABF844AFFDFFEB39FEBD99EE09823ECA66B77162ADBCCAD3B1CA487DC46735E1962684557E4908242BB42D6F061E0C1A33D66A35DF418EE88C98D1745299932750231EE2926C86B02E6B562457F37155A236889D43EDE4E27B0F0400CBC4D17CB4DA2B31ED0065ADDF693CF577599F5FA861A6778B3BF96FE34DCBDE75256E5B3E5757BD7419105DC5D69E3950D43B9FC839639957B6C805A4F1372C6D77D297A44BA52A42AD541460920FE22A0B65B308DBC890CD5D770F88752FDDAEFAC512E07B34EFED009DA70EF98FA56E66DDBB5574BDCE52C2515C89E2E784EF8DA9C9E862CCA57F31AE5C8928B1A82967AC3BC501269D80E5A468B3AEB26FA23C9B6B081BE4200A4F8D6FE302EC7D246F6E58E75FDF2CCB9D0875BCC061060BB8335B75E67DE47EC9948F1A4A115FEAD8C628E39554F3916B9B1639DFFB70203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E04160414B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD300E0603551D0F0101FF040403020106300D06092A864886F70D01010D0500038202010071A50ECEE4E9BF3F38D5895AC40261FB4CC514172D8B4F536B1017FC6584C7104990DEDBC7269388266F70D6025E39A0F78FAB96B5A5135C81146D0E8182111B8A4EC64FA5DD621E44DF0959F45B770B37E98B20C6F80A4E2E581CEB33D0CF8660C9DAFB802F9E4C6084783D2164D6FB411F180FE7C97571BDBD5CDE34873E41B00EF6B9D63F091396142FDE9A1D5AB956CE353AB05F704D5EE329F123287259B6ABC28C66261C772C2676358B28A769A0F93BF523DD851074C990035691E7AFBA47D412971122E3A249946CE7B7944BBA2DA4DA338B4CA644FF5A3CC61D64D8B531E4A63C7AA8570BDBED611ACBF1CE737763A4876F4C5138D6E45FC79FB6812AE4854879585E3BF8DB028267C139DBC3744B3D361EF9299388685BA8441921F0A7E8810D2CE89336B437B2CAB01B267A9A251F9A9A809E4B2A3FFBA39AFE733271C29EC672E18A6827F1E40FB4C44CA56193F89710072A3025A9B9C871B8EF68CC2D7EF5E07E0F82A86FB6BA6C834377CD8A9217A19E5B78163D45E23372DDE166CA99D3C9C526FD0D680446AEB6D99B8CBE19BEB1C6F219E35C02CA2CD86F4A07D9C935DA4075F2C4A7196F9E42109875E6958B60BCEDC512D78ACED5985C569603C5EE770635FFCFE4EE3F1361EEDBDA2D85F0CDAE9DB2180945C392A17217FC47B6A00B2CF1C4DE4368086A5F3BF07663FBCC062CA6C6E20EB5B9BE248F
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001D000000010000001000000004321CCBC528A397F1620CB39DFC6D35620000000100000020000000B676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B8040B0000000100000038000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410020003200000019000000010000001000000015B8B4807E45C1AE49FA34DAA40347E6030000000100000014000000D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC30920F00000001000000400000005CF58DC4429325FB69E9498383333ACBF76EDDFD5845BB9D29FDB935B2652C9184295565157A1D83335F9B67E3E2B67D6C01238CE81ADECBF3D75E98B3E99D7953000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301140000000100000014000000B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD0400000001000000100000006D469ED9256D08235B5E747D1E27DBF22000000001000000D6050000308205D2308203BAA003020102021021D6D04A4F250FC93237FCAA5E128DE9300D06092A864886F70D01010D0500308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B20434120323022180F32303131313030363038333935365A180F32303436313030363038333935365A308180310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312430220603550403131B43657274756D2054727573746564204E6574776F726B204341203230820222300D06092A864886F70D01010105000382020F003082020A0282020100BDF978F8E6D5800C649D861B9664673F223A1E75017DEFFB5C678CC9CC5C6BA991E6B942E5204B9BDA9B7BB9995DD99B804BD784402B27D3E8BA30BB3E091AA74995EF2B4024C297C7A7EE9B25EFA80A0097855AAA9DDC29C9E23507EB704D4AD6C1B356B8A141389BD1FB317F8FE05FE1B13F0F8E164960D7068D18F9AA2610AB2AD3D0D1678D1B46BE4730D52E72D1C563DAE76379447E4B632489862E343F294C528B2AA7C0E2912889B9C05BF91DD9E727ADFF9A0297C1C650929B022CBDA9B934590ABF844AFFDFFEB39FEBD99EE09823ECA66B77162ADBCCAD3B1CA487DC46735E1962684557E4908242BB42D6F061E0C1A33D66A35DF418EE88C98D1745299932750231EE2926C86B02E6B562457F37155A236889D43EDE4E27B0F0400CBC4D17CB4DA2B31ED0065ADDF693CF577599F5FA861A6778B3BF96FE34DCBDE75256E5B3E5757BD7419105DC5D69E3950D43B9FC839639957B6C805A4F1372C6D77D297A44BA52A42AD541460920FE22A0B65B308DBC890CD5D770F88752FDDAEFAC512E07B34EFED009DA70EF98FA56E66DDBB5574BDCE52C2515C89E2E784EF8DA9C9E862CCA57F31AE5C8928B1A82967AC3BC501269D80E5A468B3AEB26FA23C9B6B081BE4200A4F8D6FE302EC7D246F6E58E75FDF2CCB9D0875BCC061060BB8335B75E67DE47EC9948F1A4A115FEAD8C628E39554F3916B9B1639DFFB70203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E04160414B6A1543902C3A03F8E8ABCFAD4F81CA6D13A0EFD300E0603551D0F0101FF040403020106300D06092A864886F70D01010D0500038202010071A50ECEE4E9BF3F38D5895AC40261FB4CC514172D8B4F536B1017FC6584C7104990DEDBC7269388266F70D6025E39A0F78FAB96B5A5135C81146D0E8182111B8A4EC64FA5DD621E44DF0959F45B770B37E98B20C6F80A4E2E581CEB33D0CF8660C9DAFB802F9E4C6084783D2164D6FB411F180FE7C97571BDBD5CDE34873E41B00EF6B9D63F091396142FDE9A1D5AB956CE353AB05F704D5EE329F123287259B6ABC28C66261C772C2676358B28A769A0F93BF523DD851074C990035691E7AFBA47D412971122E3A249946CE7B7944BBA2DA4DA338B4CA644FF5A3CC61D64D8B531E4A63C7AA8570BDBED611ACBF1CE737763A4876F4C5138D6E45FC79FB6812AE4854879585E3BF8DB028267C139DBC3744B3D361EF9299388685BA8441921F0A7E8810D2CE89336B437B2CAB01B267A9A251F9A9A809E4B2A3FFBA39AFE733271C29EC672E18A6827F1E40FB4C44CA56193F89710072A3025A9B9C871B8EF68CC2D7EF5E07E0F82A86FB6BA6C834377CD8A9217A19E5B78163D45E23372DDE166CA99D3C9C526FD0D680446AEB6D99B8CBE19BEB1C6F219E35C02CA2CD86F4A07D9C935DA4075F2C4A7196F9E42109875E6958B60BCEDC512D78ACED5985C569603C5EE770635FFCFE4EE3F1361EEDBDA2D85F0CDAE9DB2180945C392A17217FC47B6A00B2CF1C4DE4368086A5F3BF07663FBCC062CA6C6E20EB5B9BE248F
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:07E032E020B72C3F192F0628A2593A19A70F069E
Value:
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
040000000100000010000000D5E98140C51869FC462C8975620FAA781400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F70B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B00200043004100000053000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF103000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E1900000001000000100000001F7E750B566B128AC0B8D6576D2A70A5090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703086200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E1D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2032000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2036200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703081900000001000000100000001F7E750B566B128AC0B8D6576D2A70A503000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410000001400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F7040000000100000010000000D5E98140C51869FC462C8975620FAA782000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2716) rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
2
Suspicious files
13
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tzaej4mn.o3a.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061binary
MD5:28C4BA14D30A22F15512F9F8D6D44494
SHA256:6C1B0F3C70E05F25901EA9BF5BDA798D71A1F91DE9FADA4FD6D1C412AA175E49
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\path_info.txttext
MD5:EC8A8684403767FA605CB01CCA69954D
SHA256:A09EB447C1BC1B279F823BF90487BAF8BF44A4F386D20754025749F9F197EF17
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bcrucmxi.kqt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4binary
MD5:CAD18364ECD4625CF91E95C6525CC1D4
SHA256:D276EFA69EA025E1613761A41A4B7A07399DE8FA63172FB1BCB58AB3279EEB7C
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\856FDBDDFEAC90A3D62D621EBF196637binary
MD5:E4AF6DEBFB86571BCBFBCEE68DABA556
SHA256:13943EB10C5A474E425C87DF08683D23444349344F48F66D2AC12768D28C93B4
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.cmdlinetext
MD5:F5D0E18A39BBCA6CF75119438F778148
SHA256:6A5186F4C4BBBCBEABEB55D7A562A2C91E2E2D470B488A4F0995A9AEA2A65B78
2716rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\3gy0oqli.0.cstext
MD5:EDBD145343899CE0DC821021604EFE49
SHA256:3DD1EFC14F57F0504DACA0B0D1A826F72F3FF1AE6B3356F367D4CC7C129062E8
6724cvtres.exeC:\Users\admin\AppData\Local\Temp\RES803C.tmpbinary
MD5:BEB721A91A381DFA372DE5C2F4748EE5
SHA256:873C5DF962B608E93A75B804EC28F352502DD7B5804CB7EC4D83CD9AD56D49F8
432csc.exeC:\Users\admin\AppData\Local\Temp\3gy0oqli\CSC7260504DDD2C466084A527CEA4909AA0.TMPbinary
MD5:DF86AC4A1FB4BE6CA2B06A3B27CE8255
SHA256:DB1FC5BFD26F39730D4DA6D214733F90F84D7B0BA148B47BC21D15AC2CABAF66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
28
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
NL
binary
1.52 Kb
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
NL
binary
1.52 Kb
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
2.21.239.9:80
http://crl.certum.pl/ctnca.crl
TR
binary
770 b
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
95.101.111.168:80
http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQCZo4AKJlU7ZavcboSms%2Bo5
NL
binary
1.80 Kb
whitelisted
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
104.233.236.65:80
http://104.233.236.65/protected_sihost_20250701_131706.txt
US
text
98.1 Kb
unknown
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
GET
200
2.21.239.21:80
http://ccsca2021.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRxypYNH69rICCzQBIRXN0YAFa3AAQU3XRdTADbe5%2BgdMqxbvc8wDLAcM0CEHrRX3%2B5xQH5vPxM6aWBNXs%3D
TR
binary
2.23 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
756
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
subca.ocsp-certum.com
  • 95.101.111.168
  • 95.101.111.144
whitelisted
crl.certum.pl
  • 2.21.239.9
  • 2.21.239.23
whitelisted
ccsca2021.ocsp-certum.com
  • 2.21.239.21
  • 2.21.239.27
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

PID
Process
Class
Message
2716
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rl_83354f7b5ee916cdecb948da2c02b1f76c3465cb341e50c5397805c16c6084fa