File name:

Snipaste.exe

Full analysis: https://app.any.run/tasks/6c40692c-b3ab-4066-a8b1-f0457d4d9aae
Verdict: Malicious activity
Analysis date: June 26, 2025, 03:45:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wsftprm-sys
vuln-driver
xor-url
generic
winos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

0E0FD3DE819DE51DFBB4512C6FBD27A4

SHA1:

CBDA7DA3E89D8F3DE396CE7D51F984FD3B78F19B

SHA256:

8CF5EF2EB99046E8B363864B6FE26DE02E999161A6A15B9BF0FB8892569AF39E

SSDEEP:

393216:k2YQRw9PQEU6fQdwg0xVNrHM8q/nmaIPgvg0vf4e8p/xHYlTpcx:kbPU6fQd/kNTMJPJ8ypvf4VYZw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Snipaste.exe (PID: 4788)
      • Snipaste.exe (PID: 2716)

    • Changes Windows Defender settings

      • 0612-2.exe (PID: 1520)

    • XORed URL has been found (YARA)

      • 0612-2.exe (PID: 1520)

    • Vulnerable driver has been detected

      • 0612-2.exe (PID: 1520)

    • Adds path to the Windows Defender exclusion list

      • 0612-2.exe (PID: 1520)

    • WINOS has been detected (YARA)

      • QMUpload.exe (PID: 1336)
      • QMUpload.exe (PID: 4552)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Snipaste.exe (PID: 4788)
      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)

    • Reads security settings of Internet Explorer

      • Snipaste.tmp (PID: 4412)

    • Reads the Windows owner or organization settings

      • Snipaste.tmp (PID: 4680)

    • Process drops legitimate windows executable

      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)

    • Detected use of alternative data streams (AltDS)

      • 0612-2.exe (PID: 1520)

    • The process drops C-runtime libraries

      • 0612-2.exe (PID: 1520)

    • Executes as Windows Service

      • QMUpload.exe (PID: 1336)

    • Starts POWERSHELL.EXE for commands execution

      • 0612-2.exe (PID: 1520)

    • Script adds exclusion path to Windows Defender

      • 0612-2.exe (PID: 1520)

    • Application launched itself

      • QMUpload.exe (PID: 1336)

    • There is functionality for taking screenshot (YARA)

      • QMUpload.exe (PID: 4552)
      • QMUpload.exe (PID: 1336)

    • Connects to unusual port

      • QMUpload.exe (PID: 4552)

  • INFO

    • Create files in a temporary directory

      • Snipaste.exe (PID: 4788)
      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)

    • Checks supported languages

      • Snipaste.tmp (PID: 4412)
      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • Snipaste.exe (PID: 4788)
      • QMUpload.exe (PID: 1336)
      • 0612-2.exe (PID: 1520)
      • QMUpload.exe (PID: 4552)

    • Reads the computer name

      • Snipaste.tmp (PID: 4412)
      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)
      • QMUpload.exe (PID: 1336)
      • QMUpload.exe (PID: 4552)

    • Process checks computer location settings

      • Snipaste.tmp (PID: 4412)

    • Creates files or folders in the user directory

      • Snipaste.tmp (PID: 4680)

    • The sample compiled with english language support

      • 0612-2.exe (PID: 1520)

    • The sample compiled with chinese language support

      • 0612-2.exe (PID: 1520)

    • Creates files in the program directory

      • 0612-2.exe (PID: 1520)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6812)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6812)

    • Checks proxy server information

      • slui.exe (PID: 2976)

    • Reads the software policy settings

      • slui.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1520) 0612-2.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: WTGAHHS676738UHUSHH Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: WTGAHHS676738UHUSHH
ProductVersion: 2.3.8
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
10
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start snipaste.exe snipaste.tmp no specs snipaste.exe snipaste.tmp #XOR-URL 0612-2.exe #WINOS qmupload.exe no specs powershell.exe no specs #WINOS qmupload.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1336C:\ProgramData\7q1vK9Hl\QMUpload.exeC:\ProgramData\7q1vK9Hl\QMUpload.exe
services.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯电脑管家-下载中心
Version:
17.6.27115.207
Modules
Images
c:\programdata\7q1vk9hl\qmupload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1520"C:\Users\admin\AppData\Roaming\2.3.810225479208\0612-2.exe"C:\Users\admin\AppData\Roaming\2.3.810225479208\0612-2.exe
Snipaste.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\2.3.810225479208\0612-2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
xor-url
(PID) Process(1520) 0612-2.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
(PID) Process(1520) 0612-2.exe
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
2716"C:\Users\admin\AppData\Local\Temp\Snipaste.exe" /SPAWNWND=$702E8 /NOTIFYWND=$802E4 C:\Users\admin\AppData\Local\Temp\Snipaste.exe
Snipaste.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
WTGAHHS676738UHUSHH Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\snipaste.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4412"C:\Users\admin\AppData\Local\Temp\is-I0DB7.tmp\Snipaste.tmp" /SL5="$802E4,53748433,845824,C:\Users\admin\AppData\Local\Temp\Snipaste.exe" C:\Users\admin\AppData\Local\Temp\is-I0DB7.tmp\Snipaste.tmpSnipaste.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-i0db7.tmp\snipaste.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4552"C:\ProgramData\7q1vK9Hl\QMUpload.exe"C:\ProgramData\7q1vK9Hl\QMUpload.exe
QMUpload.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯电脑管家-下载中心
Version:
17.6.27115.207
Modules
Images
c:\programdata\7q1vk9hl\qmupload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
4680"C:\Users\admin\AppData\Local\Temp\is-3EC4B.tmp\Snipaste.tmp" /SL5="$50252,53748433,845824,C:\Users\admin\AppData\Local\Temp\Snipaste.exe" /SPAWNWND=$702E8 /NOTIFYWND=$802E4 C:\Users\admin\AppData\Local\Temp\is-3EC4B.tmp\Snipaste.tmp
Snipaste.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3ec4b.tmp\snipaste.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4788"C:\Users\admin\AppData\Local\Temp\Snipaste.exe" C:\Users\admin\AppData\Local\Temp\Snipaste.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
WTGAHHS676738UHUSHH Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\snipaste.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6812powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\ProgramData\7q1vK9Hl""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0612-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
6 726
Read events
6 726
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-BF1TI.tmp
MD5:
SHA256:
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\360SysVulTerminator.exe
MD5:
SHA256:
15200612-2.exeC:\ProgramData\7q1vK9Hl\QMStuck.dll
MD5:
SHA256:
4788Snipaste.exeC:\Users\admin\AppData\Local\Temp\is-I0DB7.tmp\Snipaste.tmpexecutable
MD5:71A3413226CD0B72B292769D19975116
SHA256:0D7F228D65D2A69FB9F3A8EB30995891610F713F01B526FBFF4F80A49A2AECC8
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-5COT5.tmpexecutable
MD5:5EFA08B5ECADB2EC3CE2F3A4381CCD07
SHA256:7350A2D7D9988E81DB4D02C51EBDA6573A884EE98C74D1E1EACF44DFB9955C0F
2716Snipaste.exeC:\Users\admin\AppData\Local\Temp\is-3EC4B.tmp\Snipaste.tmpexecutable
MD5:71A3413226CD0B72B292769D19975116
SHA256:0D7F228D65D2A69FB9F3A8EB30995891610F713F01B526FBFF4F80A49A2AECC8
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-UD40G.tmpbinary
MD5:7211EBE8366FA26EEFE79551539210EF
SHA256:31EA370FDD9FCC5F5160425EF8824D6507DD001D76CE5758ECB384C7293D1B45
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-CALKE.tmpbinary
MD5:5515EE6F136C87EAB65B9D35999C67E9
SHA256:7D91C09221A2625D0743637E8418EB64F2E7390A17F8D7B5D826DB60021216F0
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\0612-2.exeexecutable
MD5:5EFA08B5ECADB2EC3CE2F3A4381CCD07
SHA256:7350A2D7D9988E81DB4D02C51EBDA6573A884EE98C74D1E1EACF44DFB9955C0F
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\README.mdbinary
MD5:5515EE6F136C87EAB65B9D35999C67E9
SHA256:7D91C09221A2625D0743637E8418EB64F2E7390A17F8D7B5D826DB60021216F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
70
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3948
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4312
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4312
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2032
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3948
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3948
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.65
  • 20.190.160.128
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Snipaste.exe