File name:

Trojan.Win32.VeryFun

Full analysis: https://app.any.run/tasks/e662f845-af31-4e50-9d78-e53c798d1d6d
Verdict: Malicious activity
Analysis date: May 11, 2025, 03:26:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

EF7B3C31BC127E64627EDD8B89B2AE54

SHA1:

310D606EC2F130013CC9D2F38A9CC13A2A34794A

SHA256:

8B04FDA4BEE1806587657DA6C6147D3E949AA7D11BE1EEFB8CD6EF0DBA76D387

SSDEEP:

49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8t:Js/4ibecELz/RkO6LF4hRq5GKHmBBYC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • cmd.exe (PID: 2560)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • cmd.exe (PID: 2560)

    • Checks for the .NET to be installed

      • cmd.exe (PID: 2560)

    • Starts CMD.EXE for commands execution

      • Trojan.Win32.VeryFun.exe (PID: 6620)

    • Changes the Home page of Internet Explorer

      • cmd.exe (PID: 2560)

    • Changes the title of the Internet Explorer window

      • cmd.exe (PID: 2560)

    • There is functionality for taking screenshot (YARA)

      • cmd.exe (PID: 1088)
      • Trojan.Win32.VeryFun.exe (PID: 6620)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 976)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 2268)

    • Reads the history of recent RDP connections

      • cmd.exe (PID: 2560)

    • Application launched itself

      • ie4uinit.exe (PID: 5392)
      • setup.exe (PID: 6592)
      • setup.exe (PID: 5400)
      • setup.exe (PID: 472)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 2244)

  • INFO

    • Checks supported languages

      • Trojan.Win32.VeryFun.exe (PID: 6620)

    • Reads mouse settings

      • Trojan.Win32.VeryFun.exe (PID: 6620)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 1088)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 976)

    • The sample compiled with english language support

      • Trojan.Win32.VeryFun.exe (PID: 6620)

    • Reads the computer name

      • Trojan.Win32.VeryFun.exe (PID: 6620)

    • UPX packer has been detected

      • Trojan.Win32.VeryFun.exe (PID: 6620)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 1088)
      • cmd.exe (PID: 976)
      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 1184)

    • The process uses AutoIt

      • Trojan.Win32.VeryFun.exe (PID: 6620)
      • cmd.exe (PID: 1088)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 976)
      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 1056)

    • Manual execution by a user

      • setup.exe (PID: 6592)
      • WerFault.exe (PID: 300)
      • ie4uinit.exe (PID: 5392)
      • unregmp2.exe (PID: 1764)
      • chrmstp.exe (PID: 2796)

    • Application launched itself

      • chrmstp.exe (PID: 2796)
      • chrmstp.exe (PID: 4728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:09:22 22:25:28+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 356352
InitializedDataSize: 2826240
UninitializedDataSize: 3354624
EntryPoint: 0x389de0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
27
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start trojan.win32.veryfun.exe cmd.exe no specs cmd.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe no specs werfault.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs rundll32.exe no specs trojan.win32.veryfun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300C:\WINDOWS\system32\WerFault.exe -u -p 5492 -s 4308C:\Windows\System32\WerFault.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942431
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
472"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --msedge --channel=stable --launch-msedge-after-unlock --verbose-logging --system-levelC:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\installer\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
632"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6613b69a8,0x7ff6613b69b4,0x7ff6613b69c0C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\installer\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
904C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
976"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeTrojan.Win32.VeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1056"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeTrojan.Win32.VeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1088"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeTrojan.Win32.VeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1184"C:\WINDOWS\system32\cmd.exe"C:\Windows\SysWOW64\cmd.exeTrojan.Win32.VeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1764"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\System32\unregmp2.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Player Setup Utility
Exit code:
0
Version:
12.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\unregmp2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2244C:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\System32\ie4uinit.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ie4uinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
191 608
Read events
163 773
Write events
27 803
Delete events
32

Modification events

(PID) Process:(6620) Trojan.Win32.VeryFun.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management
Operation:writeName:LargePageMinimum
Value:
1
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\winword.exe\{2CCAA9FE-6884-4AF2-99DD-5217B94115DF}
Operation:writeName:Maximum File Version Number
Value:
›»|d$Þյɐ5¦>N¨]Õ¬)D-;ݤ£ø
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\winword.exe\{2CCAA9FE-6884-4AF2-99DD-5217B94115DF}
Operation:writeName:Minimum File Version Number
Value:
!9Á·¿×ÉMI1Ébn„¢áÌæ
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\winword.exe\{2CCAA9FE-6884-4AF2-99DD-5217B94115DF}
Operation:writeName:Target Version
Value:
KÒÞè±E½Jœ£É‡j…Lºxá"ԏ©†¾‹
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\winword.exe\{2CCAA9FE-6884-4AF2-99DD-5217B94115DF}\Registry Keys\{2CCAA9FE-6884-4AF2-99DD-5217B94115DF}
Operation:writeName:Key Name
Value:
†²µïÊfÜÃvÔ6Ì•ôXXòMªÔ)ÆD%
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\AppPatch\v2.0.50727.00000\xsd2edi.exe\{B469F89A-19A5-44B2-A12F-E93394003755}
Operation:writeName:Company
Value:
_
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\Microsoft.KeyDistributionService.Cmdlets, Version=10.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=x86\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
<ɇÿ!±«nRnZça¸hFÚ¡iîÁ·
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\Microsoft.KeyDistributionService.Cmdlets.Resources, Version=10.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
€WìÞG;<ýÖ¦míËbZŽyT”•Ÿ‚
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\Microsoft.Management.Infrastructure, Version=1.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
ò¡˜á™H‚š}#¹·Ø’K¬&cùäŠ8ÜßÐ
(PID) Process:(2560) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Fusion\References\Microsoft.Management.Infrastructure.CimCmdlets, Version=1.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{71F8EFBF-09AF-418D-91F1-52707CDFA274}
Value:
øyÒ™¬°Ð*¼Ý¼™¦ZАòç<Øšd
Executable files
5
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5392ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI25DC.tmptext
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
5392ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI25EC.tmptext
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
6620Trojan.Win32.VeryFun.exeC:\Windows\system.inibinary
MD5:F7206FDC09391A8529D0E7A090A84005
SHA256:85CC763614C10F642547A608D6A50F5AA34E161EC5EDB869869C5437CB9D35F2
5392ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI262D.tmptext
MD5:87BA1D52A05A8D4343356EB0C6279DE2
SHA256:564A351DB0AB9249751ECF3F5D03049A43BEB0F8F3B95A5B8AAE9A9F7D0C17FB
1764unregmp2.exeC:\Users\admin\AppData\Local\Temp\wmsetup.logtext
MD5:6CA406865ED3572BDB0222533F0E2FA3
SHA256:B71B05E0003FB332791A7087BD5C622949C16FEDB4C5C4245D6A2FCB436E83B8
2796chrmstp.exeC:\Windows\Temp\Crashpad\settings.datbinary
MD5:2682B4505D8D78D2B13CEB79C558C225
SHA256:E5BD0AB7AB6E7C7FD344926E42B8075B24F253F5DF5EF0D6C76AFEF53C785753
632setup.exeC:\Windows\Temp\MsEdgeCrashpad\throttle_store.dattext
MD5:9E4E94633B73F4A7680240A0FFD6CD2C
SHA256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
4728chrmstp.exeC:\Users\admin\AppData\Local\Temp\chrome_installer.logtext
MD5:4E32E010A99AFA3939C6A9F931C5D040
SHA256:5D615ECCAE6085BD62F6DAA1193C7A9542121657106BCC19CCDFC3A74A2575FE
5400setup.exeC:\Users\admin\AppData\Local\Temp\msedge_installer.logtext
MD5:A54F7C415D8C75F6FB4BD74C18668562
SHA256:9C3F1E9E54A58940067873976160F7372F3BEF7D0A86947687329D76B17B0366
5392ie4uinit.exeC:\Users\admin\AppData\Local\Temp\RGI25CB.tmptext
MD5:0D6E3B5966C8910612CBB86683829EFD
SHA256:6B5C97558FDF8CC87169CAD942F04A633BF2B9931D50BF22D91E632C0EA596AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
24
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6740
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6740
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6740
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6740
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6740
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6740
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6740
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6740
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.28
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 23.219.150.101
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.132
  • 20.190.160.5
  • 20.190.160.2
  • 20.190.160.66
  • 20.190.160.17
  • 20.190.160.67
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Win32.VeryFun