File name:

VeryFun.exe

Full analysis: https://app.any.run/tasks/0b7f2441-de94-4ce9-872e-dc0d88793909
Verdict: Malicious activity
Analysis date: April 29, 2025, 11:06:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

EF7B3C31BC127E64627EDD8B89B2AE54

SHA1:

310D606EC2F130013CC9D2F38A9CC13A2A34794A

SHA256:

8B04FDA4BEE1806587657DA6C6147D3E949AA7D11BE1EEFB8CD6EF0DBA76D387

SSDEEP:

49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8t:Js/4ibecELz/RkO6LF4hRq5GKHmBBYC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • cmd.exe (PID: 456)

  • SUSPICIOUS

    • Reads the history of recent RDP connections

      • cmd.exe (PID: 456)

    • There is functionality for taking screenshot (YARA)

      • VeryFun.exe (PID: 6044)
      • cmd.exe (PID: 5116)
      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 5384)

    • Checks for the .NET to be installed

      • cmd.exe (PID: 456)

    • Starts CMD.EXE for commands execution

      • VeryFun.exe (PID: 6044)

    • The process checks if it is being run in the virtual environment

      • cmd.exe (PID: 456)

    • Changes the title of the Internet Explorer window

      • cmd.exe (PID: 456)

    • Changes the Home page of Internet Explorer

      • cmd.exe (PID: 456)

    • Application launched itself

      • ie4uinit.exe (PID: 7740)
      • setup.exe (PID: 8016)
      • setup.exe (PID: 8076)
      • setup.exe (PID: 8152)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 7808)

  • INFO

    • Reads mouse settings

      • cmd.exe (PID: 456)
      • cmd.exe (PID: 3888)
      • VeryFun.exe (PID: 6044)
      • cmd.exe (PID: 5116)
      • cmd.exe (PID: 1164)

    • Reads the computer name

      • VeryFun.exe (PID: 6044)

    • The sample compiled with english language support

      • VeryFun.exe (PID: 6044)

    • Checks supported languages

      • VeryFun.exe (PID: 6044)

    • UPX packer has been detected

      • VeryFun.exe (PID: 6044)
      • cmd.exe (PID: 5116)
      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 5720)

    • The process uses AutoIt

      • VeryFun.exe (PID: 6044)
      • cmd.exe (PID: 5116)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 3888)

    • Manual execution by a user

      • WerFault.exe (PID: 7640)
      • ie4uinit.exe (PID: 7740)
      • unregmp2.exe (PID: 7840)
      • chrmstp.exe (PID: 7864)
      • setup.exe (PID: 8016)

    • Application launched itself

      • chrmstp.exe (PID: 7864)
      • chrmstp.exe (PID: 7924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:09:22 22:25:28+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 356352
InitializedDataSize: 2826240
UninitializedDataSize: 3354624
EntryPoint: 0x389de0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
27
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start veryfun.exe cmd.exe no specs cmd.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe no specs werfault.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs rundll32.exe no specs veryfun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1164"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1660C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3888"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4488"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5116"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5384"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5404"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x160,0x258,0x25c,0x148,0x260,0x7ff63f1269a8,0x7ff63f1269b4,0x7ff63f1269c0C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\installer\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5720"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6044"C:\Users\admin\AppData\Local\Temp\VeryFun.exe" C:\Users\admin\AppData\Local\Temp\VeryFun.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\veryfun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
192 870
Read events
165 035
Write events
27 803
Delete events
32

Modification events

(PID) Process:(6044) VeryFun.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management
Operation:writeName:LargePageMinimum
Value:
1
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\XSharpP.EXE\{BDC69590-00EE-408A-B21F-58D9EF182CF6}
Operation:writeName:Product Name
Value:
„‰þÙly¤ö¯®é™ü¶³HM³¹ð›
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\XSharpP.EXE\{BDC69590-00EE-408A-B21F-58D9EF182CF6}
Operation:writeName:Target Version
Value:
%´Þ\éòx¥h'¦óÓ /ý:¡ÄÊ»Á!ÖÌ
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\Upgrades
Operation:writeName:2.0.50727
Value:
¥š U9 $žçE–º¼°v¦ÑÑ6?‘Ä}
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AssemblyFolders\v3.0
Operation:writeName:All Assemblies In
Value:
ñ”÷åÕ”õ‡;ýrnÂ¥“»b2{H²ˆ@€ól
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AssemblyFolders\v3.5
Operation:writeName:All Assemblies In
Value:
oŽrT#3î­Ó@Ì2" 8Q@ÖÄ6,hè)5Çõ
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\Accessibility, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
:–żtYƒ[—j7œV²ÆT\0óçlßlb
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\AuditPolicyGPManagedStubs.Interop, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=amd64\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
¶?<*±1£mÀ$Ȧ(Jµ'ƾÒJ &y¿
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\AuditPolicyGPManagedStubs.Interop, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=x86\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
r%Ψcß{Ëñ©ZG„}'üv°ýUÔ¨o§E
(PID) Process:(456) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\ComSvcConfig, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
|\QMy‚ÞZâí¦f+Ê®?<Cì(»»°$£¡
Executable files
5
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6044VeryFun.exeC:\Windows\system.inibinary
MD5:C450516A2A283CBA4F88CA0B79FA5E73
SHA256:88BA20614F44E68B3EE62C30C97530DA548A3AF084AB850E405A6F2FC0CF8476
8036setup.exeC:\Windows\Temp\MsEdgeCrashpad\throttle_store.dattext
MD5:9E4E94633B73F4A7680240A0FFD6CD2C
SHA256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
7840unregmp2.exeC:\Users\admin\AppData\Local\Temp\wmsetup.logtext
MD5:4E63CACE3F548A2BFB2A419956C47C63
SHA256:0DFFDE8967FFFE5337BC7722EB9D750E61CC1B9443BBF74BDC7FD3B8C08EDB2A
7864chrmstp.exeC:\Windows\Temp\Crashpad\settings.datbinary
MD5:B89039CA85F9AAB8F3031F930806B88B
SHA256:92E0AC4B33B587AC898CF5B32DB3DD37BCF2323C08E730651132C68ECB36BFAD
7740ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI1EAE.tmptext
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
7924chrmstp.exeC:\Users\admin\AppData\Local\Temp\chrome_installer.logtext
MD5:D515EFE7305F5BE90C361A9964B8746F
SHA256:387164D318568268CD6A99AAC912A7269AE721E9BA35FC38E02CA58D10A3FC8F
8036setup.exeC:\Windows\Temp\MsEdgeCrashpad\settings.datbinary
MD5:8478027125A77120A7E54ABC2A0484E8
SHA256:004DE397B73B4D8CD7FA1899D87D02CC5C4193AF5BBDE30BE026EC5090AE2FC9
7740ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI1E8C.tmptext
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
8076setup.exeC:\Users\admin\AppData\Local\Temp\msedge_installer.logtext
MD5:0C98475DC10A9A73358E5A66DDB117CF
SHA256:FA3E112F0EF31E1073B8367391EC98DE861DCA88D284EB3C88FB0429CB6DE734
7740ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI1EDE.tmptext
MD5:87BA1D52A05A8D4343356EB0C6279DE2
SHA256:564A351DB0AB9249751ECF3F5D03049A43BEB0F8F3B95A5B8AAE9A9F7D0C17FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
22
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.52.56.216:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7320
SIHClient.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.52.56.216:80
ocsp.digicert.com
AKAMAI-AS
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7320
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.153
  • 23.48.23.155
  • 23.48.23.188
  • 23.48.23.183
  • 23.48.23.178
  • 23.48.23.134
  • 23.48.23.194
  • 23.48.23.140
  • 2.16.164.9
  • 2.16.164.43
  • 2.16.164.106
  • 2.16.164.51
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.133
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.22
  • 20.190.160.132
  • 40.126.32.136
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 23.52.56.216
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VeryFun.exe