File name:

Client-built.bat

Full analysis: https://app.any.run/tasks/ce3cac57-c57c-45c3-9fee-dd8c5938b8c1
Verdict: Malicious activity
Analysis date: October 14, 2024, 17:08:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (38228), with CRLF line terminators
MD5:

8A861856A3B95FC8F2A58E6E32826CD8

SHA1:

7262CF959774E5C3D3CD2758E04D774D64CF6309

SHA256:

8B220B3D1DFCBE0A594A2A40D7629FED86FDA96F365347456D2A71C8A4E4C68B

SSDEEP:

24576:gp+6zmC95nqAIRkXfKWsXjPJ33wbnL49XqcY36EQhg1giaUu/ofzNNOXFAORd3jZ:gP6AC3cuomh9hUOPYrOlr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 512)
      • powershell.exe (PID: 2280)
      • powershell.exe (PID: 5160)

    • Application was injected by another process

      • svchost.exe (PID: 2948)
      • svchost.exe (PID: 2560)
      • explorer.exe (PID: 4616)
      • svchost.exe (PID: 2936)
      • svchost.exe (PID: 488)
      • svchost.exe (PID: 2352)
      • svchost.exe (PID: 1356)
      • svchost.exe (PID: 4284)
      • svchost.exe (PID: 6280)
      • svchost.exe (PID: 3752)
      • svchost.exe (PID: 780)
      • svchost.exe (PID: 4320)
      • svchost.exe (PID: 2328)
      • svchost.exe (PID: 1932)
      • svchost.exe (PID: 6468)
      • svchost.exe (PID: 1512)
      • svchost.exe (PID: 1144)
      • svchost.exe (PID: 2488)
      • svchost.exe (PID: 1940)
      • svchost.exe (PID: 4112)
      • svchost.exe (PID: 2344)
      • svchost.exe (PID: 2336)
      • svchost.exe (PID: 1488)
      • svchost.exe (PID: 1132)
      • svchost.exe (PID: 2700)
      • svchost.exe (PID: 1716)
      • svchost.exe (PID: 1312)
      • svchost.exe (PID: 3068)
      • svchost.exe (PID: 1680)
      • svchost.exe (PID: 1476)
      • svchost.exe (PID: 4064)
      • svchost.exe (PID: 3088)
      • svchost.exe (PID: 3252)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2264)
      • svchost.exe (PID: 3696)
      • svchost.exe (PID: 3688)
      • svchost.exe (PID: 3032)
      • svchost.exe (PID: 1128)
      • svchost.exe (PID: 1740)
      • svchost.exe (PID: 4540)
      • svchost.exe (PID: 876)
      • svchost.exe (PID: 2652)
      • svchost.exe (PID: 4800)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 1860)
      • svchost.exe (PID: 2060)
      • svchost.exe (PID: 624)
      • svchost.exe (PID: 1264)
      • svchost.exe (PID: 5000)
      • svchost.exe (PID: 1688)
      • svchost.exe (PID: 5656)
      • svchost.exe (PID: 2608)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 1220)
      • svchost.exe (PID: 4020)
      • svchost.exe (PID: 2404)
      • svchost.exe (PID: 816)
      • svchost.exe (PID: 6756)
      • svchost.exe (PID: 820)
      • svchost.exe (PID: 628)
      • svchost.exe (PID: 3900)
      • svchost.exe (PID: 1000)
      • svchost.exe (PID: 4156)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 7104)
      • svchost.exe (PID: 2964)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1412)

    • Runs injected code in another process

      • powershell.exe (PID: 5160)

    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 5160)

    • Starts PowerShell from an unusual location

      • powershell.exe (PID: 5160)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • explorer.exe (PID: 4616)
      • cmd.exe (PID: 6628)
      • cmd.exe (PID: 7032)
      • wscript.exe (PID: 4816)
      • cmd.exe (PID: 5168)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 5932)
      • cmd.exe (PID: 6160)
      • cmd.exe (PID: 6132)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 512)
      • powershell.exe (PID: 5160)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6628)
      • msconfig.exe (PID: 7024)
      • explorer.exe (PID: 4616)
      • cmd.exe (PID: 7032)
      • wscript.exe (PID: 4816)
      • cmd.exe (PID: 5168)

    • Executes application which crashes

      • msconfig.exe (PID: 7024)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6628)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 5168)
      • powershell.exe (PID: 2280)

    • Application launched itself

      • cmd.exe (PID: 6628)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 5168)
      • powershell.exe (PID: 2280)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 512)
      • powershell.exe (PID: 5160)

    • The process executes VB scripts

      • powershell.exe (PID: 2280)

    • Starts itself from another location

      • powershell.exe (PID: 5160)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
92
Malicious processes
5
Suspicious processes
72

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe msconfig.exe no specs msconfig.exe cmd.exe no specs conhost.exe no specs svchost.exe werfault.exe cmd.exe no specs powershell.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe schtasks.exe no specs conhost.exe no specs operation.exe no specs conhost.exe no specs svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe explorer.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
488C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
512"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
628C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
700"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\WINDOWS\system32\SubDir\Operation.exe" /rl HIGHEST /fC:\Windows\System32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s DsmSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
816C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s UsoSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
820C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
876C:\WINDOWS\system32\svchost.exe -k DcomLaunch -pC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\msvcrt.dll
1000C:\WINDOWS\system32\svchost.exe -k RPCSS -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcepmap.dll
c:\windows\system32\wldp.dll
Total events
45 107
Read events
44 566
Write events
278
Delete events
263

Modification events

(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001100000000000000610066007400650072006D006F00720065002E007200740066003E00200020000000110000000000000067006C006100730073006600610072006D002E007200740066003E00200020000000150000000000000069006E00740065007200650073007400630068006500610070002E0070006E0067003E0020002000000013000000000000006C006F0061006E006F006600660069006300650072002E0070006E0067003E0020002000000011000000000000006D006F0074006F007200620061006E006B002E007200740066003E002000200000000E00000000000000720065007000610072006B002E006A00700067003E00200020000000150000000000000072006500710075006900720065006400730068006900700073002E007200740066003E002000200000001300000000000000730061007900730070006100720074006900650073002E007200740066003E002000200000001100000000000000770065006200730061006D0070006C0065002E007200740066003E00200020000000140000000000000043006C00690065006E0074002D006200750069006C0074002E006200610074003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000000400000A0401100
(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
19500D6700000000
(PID) Process:(4616) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000080214
Operation:writeName:VirtualDesktop
Value:
100000003030445671D90A7D3588864C9F3CEA9EBAB7B4A7
(PID) Process:(1264) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F93AD50A-2FB2-4A34-88EF-786903C710ED}
Operation:writeName:DynamicInfo
Value:
03000000C09775A51C59DA01740E0CB45B1EDB01000000000000000074CDD0B85B1EDB01
(PID) Process:(816) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:RebootRequired
Value:
0
(PID) Process:(1264) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{309BA321-F7C8-46A4-BA50-5FAC484229CB}
Operation:writeName:DynamicInfo
Value:
03000000C8B7E523AAB7D80100CD09B45B1EDB01000000000000000079261FBC5B1EDB01
(PID) Process:(512) powershell.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:phantombp
Value:
C:\Users\admin\Desktop\Client-built.bat
(PID) Process:(2964) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider
Operation:writeName:StartTime
Value:
554E45BC5B1EDB01
(PID) Process:(1264) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator
Operation:writeName:SD
Value:
0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
Executable files
3
Suspicious files
28
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
4616explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
7108WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msconfig.exe_fc9e2461a5d788554d4233fcf397cd7c9dc2c4c_b075896e_9a62b2e7-b9a2-4de4-83ad-4c35f2402ac2\Report.wer
MD5:
SHA256:
512powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_awwyvj0x.dgr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1264svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scanxml
MD5:11954764DE4745B35A42219A7C5E2DCA
SHA256:997FCF971A38394C30D9E5CA0C6B36E782630E83B52D2664C56F1DEFBA54CB6C
1688svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:206D2318DBDCA83BDCE5E551C46CB030
SHA256:C9BE0DBE78A3FD308AC9B874FCE35FE47FE36476FBF8847294E261D82EA99001
1264svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Workxml
MD5:C6086D02F8CE044F5FA07A98303DC7EB
SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
1264svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Workxml
MD5:4838EE953DAB2C7A1BF57E0C6620A79D
SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
7108WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:B844E6D2E48035B1B23FE797E0E20A3A
SHA256:067FBF41F18745C285D9B67FD42387EA06979335C16B18381EB6D4A73E7275AD
1688svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-6C525542.pfbinary
MD5:1083EA1A6799A6A14BAB2D8D37EA212C
SHA256:DCAFEC96F28C645FC8D0309B89EBEF9D5442E96710FEAA5A1A9D3518F65C19C2
7104svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE46E.tmp.txtbinary
MD5:FA4558599BEFE51054425938B7192B51
SHA256:B236B393CA9B565E88887489F108A370032C8EA9CD3572106A4B53B9D90FD4F1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.164.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5640
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5640
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.97:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
2.16.164.97:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5640
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
816
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.97
  • 2.16.164.24
  • 2.16.164.18
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
self.events.data.microsoft.com
  • 52.178.17.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Client-built.bat