File name:

Snipaste.exe

Full analysis: https://app.any.run/tasks/6c40692c-b3ab-4066-a8b1-f0457d4d9aae
Verdict: Malicious activity
Analysis date: June 26, 2025, 03:45:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wsftprm-sys
vuln-driver
xor-url
generic
winos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

0E0FD3DE819DE51DFBB4512C6FBD27A4

SHA1:

CBDA7DA3E89D8F3DE396CE7D51F984FD3B78F19B

SHA256:

8CF5EF2EB99046E8B363864B6FE26DE02E999161A6A15B9BF0FB8892569AF39E

SSDEEP:

393216:k2YQRw9PQEU6fQdwg0xVNrHM8q/nmaIPgvg0vf4e8p/xHYlTpcx:kbPU6fQd/kNTMJPJ8ypvf4VYZw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Snipaste.exe (PID: 2716)
      • Snipaste.exe (PID: 4788)

    • XORed URL has been found (YARA)

      • 0612-2.exe (PID: 1520)

    • Vulnerable driver has been detected

      • 0612-2.exe (PID: 1520)

    • Changes Windows Defender settings

      • 0612-2.exe (PID: 1520)

    • Adds path to the Windows Defender exclusion list

      • 0612-2.exe (PID: 1520)

    • WINOS has been detected (YARA)

      • QMUpload.exe (PID: 4552)
      • QMUpload.exe (PID: 1336)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Snipaste.exe (PID: 4788)
      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)

    • Process drops legitimate windows executable

      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)

    • Reads the Windows owner or organization settings

      • Snipaste.tmp (PID: 4680)

    • Reads security settings of Internet Explorer

      • Snipaste.tmp (PID: 4412)

    • The process drops C-runtime libraries

      • 0612-2.exe (PID: 1520)

    • Detected use of alternative data streams (AltDS)

      • 0612-2.exe (PID: 1520)

    • Executes as Windows Service

      • QMUpload.exe (PID: 1336)

    • Starts POWERSHELL.EXE for commands execution

      • 0612-2.exe (PID: 1520)

    • Application launched itself

      • QMUpload.exe (PID: 1336)

    • Connects to unusual port

      • QMUpload.exe (PID: 4552)

    • Script adds exclusion path to Windows Defender

      • 0612-2.exe (PID: 1520)

    • There is functionality for taking screenshot (YARA)

      • QMUpload.exe (PID: 4552)
      • QMUpload.exe (PID: 1336)

  • INFO

    • Checks supported languages

      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • Snipaste.exe (PID: 4788)
      • 0612-2.exe (PID: 1520)
      • QMUpload.exe (PID: 1336)
      • QMUpload.exe (PID: 4552)
      • Snipaste.tmp (PID: 4412)

    • Reads the computer name

      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • Snipaste.tmp (PID: 4412)
      • 0612-2.exe (PID: 1520)
      • QMUpload.exe (PID: 1336)
      • QMUpload.exe (PID: 4552)

    • Create files in a temporary directory

      • Snipaste.exe (PID: 2716)
      • Snipaste.tmp (PID: 4680)
      • 0612-2.exe (PID: 1520)
      • Snipaste.exe (PID: 4788)

    • Creates files or folders in the user directory

      • Snipaste.tmp (PID: 4680)

    • Creates files in the program directory

      • 0612-2.exe (PID: 1520)

    • The sample compiled with english language support

      • 0612-2.exe (PID: 1520)

    • The sample compiled with chinese language support

      • 0612-2.exe (PID: 1520)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6812)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6812)

    • Checks proxy server information

      • slui.exe (PID: 2976)

    • Reads the software policy settings

      • slui.exe (PID: 2976)

    • Process checks computer location settings

      • Snipaste.tmp (PID: 4412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1520) 0612-2.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: WTGAHHS676738UHUSHH Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: WTGAHHS676738UHUSHH
ProductVersion: 2.3.8
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
10
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start snipaste.exe snipaste.tmp no specs snipaste.exe snipaste.tmp #XOR-URL 0612-2.exe #WINOS qmupload.exe no specs powershell.exe no specs #WINOS qmupload.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1336C:\ProgramData\7q1vK9Hl\QMUpload.exeC:\ProgramData\7q1vK9Hl\QMUpload.exe
services.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯电脑管家-下载中心
Version:
17.6.27115.207
Modules
Images
c:\programdata\7q1vk9hl\qmupload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1520"C:\Users\admin\AppData\Roaming\2.3.810225479208\0612-2.exe"C:\Users\admin\AppData\Roaming\2.3.810225479208\0612-2.exe
Snipaste.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\2.3.810225479208\0612-2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
xor-url
(PID) Process(1520) 0612-2.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
(PID) Process(1520) 0612-2.exe
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
2716"C:\Users\admin\AppData\Local\Temp\Snipaste.exe" /SPAWNWND=$702E8 /NOTIFYWND=$802E4 C:\Users\admin\AppData\Local\Temp\Snipaste.exe
Snipaste.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
WTGAHHS676738UHUSHH Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\snipaste.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4412"C:\Users\admin\AppData\Local\Temp\is-I0DB7.tmp\Snipaste.tmp" /SL5="$802E4,53748433,845824,C:\Users\admin\AppData\Local\Temp\Snipaste.exe" C:\Users\admin\AppData\Local\Temp\is-I0DB7.tmp\Snipaste.tmpSnipaste.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-i0db7.tmp\snipaste.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4552"C:\ProgramData\7q1vK9Hl\QMUpload.exe"C:\ProgramData\7q1vK9Hl\QMUpload.exe
QMUpload.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯电脑管家-下载中心
Version:
17.6.27115.207
Modules
Images
c:\programdata\7q1vk9hl\qmupload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
4680"C:\Users\admin\AppData\Local\Temp\is-3EC4B.tmp\Snipaste.tmp" /SL5="$50252,53748433,845824,C:\Users\admin\AppData\Local\Temp\Snipaste.exe" /SPAWNWND=$702E8 /NOTIFYWND=$802E4 C:\Users\admin\AppData\Local\Temp\is-3EC4B.tmp\Snipaste.tmp
Snipaste.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3ec4b.tmp\snipaste.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4788"C:\Users\admin\AppData\Local\Temp\Snipaste.exe" C:\Users\admin\AppData\Local\Temp\Snipaste.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
WTGAHHS676738UHUSHH Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\snipaste.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6812powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\ProgramData\7q1vK9Hl""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0612-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
6 726
Read events
6 726
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-BF1TI.tmp
MD5:
SHA256:
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\360SysVulTerminator.exe
MD5:
SHA256:
15200612-2.exeC:\ProgramData\7q1vK9Hl\QMStuck.dll
MD5:
SHA256:
4680Snipaste.tmpC:\Users\admin\AppData\Local\Temp\is-FIR85.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-5COT5.tmpexecutable
MD5:5EFA08B5ECADB2EC3CE2F3A4381CCD07
SHA256:7350A2D7D9988E81DB4D02C51EBDA6573A884EE98C74D1E1EACF44DFB9955C0F
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-CALKE.tmpbinary
MD5:5515EE6F136C87EAB65B9D35999C67E9
SHA256:7D91C09221A2625D0743637E8418EB64F2E7390A17F8D7B5D826DB60021216F0
4788Snipaste.exeC:\Users\admin\AppData\Local\Temp\is-I0DB7.tmp\Snipaste.tmpexecutable
MD5:71A3413226CD0B72B292769D19975116
SHA256:0D7F228D65D2A69FB9F3A8EB30995891610F713F01B526FBFF4F80A49A2AECC8
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\unins000.datbinary
MD5:420980A7424E80F539ABCA72DF1AC309
SHA256:91E9A4AF4DCC6241E0EB0813DB4B6A26D6232149753E1B8E396F5ABC3A6D5A85
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\is-NKO8E.tmpbinary
MD5:420980A7424E80F539ABCA72DF1AC309
SHA256:91E9A4AF4DCC6241E0EB0813DB4B6A26D6232149753E1B8E396F5ABC3A6D5A85
4680Snipaste.tmpC:\Users\admin\AppData\Roaming\2.3.810225479208\README.mdbinary
MD5:5515EE6F136C87EAB65B9D35999C67E9
SHA256:7D91C09221A2625D0743637E8418EB64F2E7390A17F8D7B5D826DB60021216F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
70
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3948
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4312
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4312
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2032
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3948
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3948
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.65
  • 20.190.160.128
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Snipaste.exe