File name:

binBINporelculin.exe

Full analysis: https://app.any.run/tasks/cd1f98c6-e68d-4e9a-9242-d6b388a54eb4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 18:13:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D678C85C31E59ABE1CEDB26D13AC9DA8

SHA1:

FFF0A98564777AC1BECCE1DFA217F53B6F09B1D9

SHA256:

8E82AA751BFEAB05FFC5E7ADA239E12C424AC1FE14449C0AEF7DE48FB5F26644

SSDEEP:

12288:rfh1LUwIudut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q:N1Lgn6N6LqQzJqk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • binBINporelculin.exe (PID: 6684)

    • Adds path to the Windows Defender exclusion list

      • cvtres.exe (PID: 6408)
      • cmd.exe (PID: 1204)
      • cmd.exe (PID: 5124)

    • Changes Windows Defender settings

      • cmd.exe (PID: 1204)
      • cmd.exe (PID: 5124)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cvtres.exe (PID: 6408)
      • binBINporelculin.exe (PID: 6684)
      • StartMenuExperienceHost.exe (PID: 7056)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6772)

    • Starts CMD.EXE for commands execution

      • binBINporelculin.exe (PID: 6684)
      • cvtres.exe (PID: 6408)

    • The executable file from the user directory is run by the CMD process

      • cvtresa.exe (PID: 1728)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1204)
      • cmd.exe (PID: 5124)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1204)
      • cmd.exe (PID: 5124)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 5124)
      • cmd.exe (PID: 1204)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 7056)
      • SearchApp.exe (PID: 504)

    • Connects to unusual port

      • cvtres.exe (PID: 6408)

    • Multiple wallet extension IDs have been found

      • cvtres.exe (PID: 6408)

    • Uses .NET C# to load dll

      • binBINporelculin.exe (PID: 6684)

  • INFO

    • Checks supported languages

      • binBINporelculin.exe (PID: 6684)
      • cvtres.exe (PID: 728)
      • cvtres.exe (PID: 6408)
      • cvtresa.exe (PID: 1728)
      • StartMenuExperienceHost.exe (PID: 7056)
      • SearchApp.exe (PID: 504)
      • csc.exe (PID: 6772)

    • Create files in a temporary directory

      • csc.exe (PID: 6772)
      • cvtres.exe (PID: 728)
      • binBINporelculin.exe (PID: 6684)

    • Reads the machine GUID from the registry

      • binBINporelculin.exe (PID: 6684)
      • csc.exe (PID: 6772)
      • cvtres.exe (PID: 6408)
      • SearchApp.exe (PID: 504)

    • Reads the computer name

      • cvtres.exe (PID: 6408)
      • cvtresa.exe (PID: 1728)
      • StartMenuExperienceHost.exe (PID: 7056)
      • SearchApp.exe (PID: 504)
      • binBINporelculin.exe (PID: 6684)

    • Checks proxy server information

      • binBINporelculin.exe (PID: 6684)
      • SearchApp.exe (PID: 504)
      • explorer.exe (PID: 1948)
      • slui.exe (PID: 2532)

    • Process checks computer location settings

      • binBINporelculin.exe (PID: 6684)
      • cvtres.exe (PID: 6408)
      • StartMenuExperienceHost.exe (PID: 7056)
      • SearchApp.exe (PID: 504)

    • Disables trace logs

      • binBINporelculin.exe (PID: 6684)

    • Reads the software policy settings

      • binBINporelculin.exe (PID: 6684)
      • SearchApp.exe (PID: 504)
      • slui.exe (PID: 2532)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1948)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1080)
      • powershell.exe (PID: 2044)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 1948)

    • Reads Environment values

      • SearchApp.exe (PID: 504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:08 08:14:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 503296
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x7ccee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.1
InternalName: Stub.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: Stub.exe
ProductName: -
ProductVersion: 1.0.0.1
AssemblyVersion: 1.0.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start binbinporelculin.exe conhost.exe no specs csc.exe cvtres.exe no specs explorer.exe no specs cvtres.exe cmd.exe no specs conhost.exe no specs cvtresa.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs startmenuexperiencehost.exe no specs powershell.exe no specs svchost.exe searchapp.exe mobsync.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
316\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
504"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES7966.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3B626C8FA3D74B5EB0D6F0F7CBAF345A.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
856"C:\Windows\System32\cmd.exe" /k start /b C:\Users\admin\AppData\Local\Temp\cvtresa.exe & exitC:\Windows\SysWOW64\cmd.exebinBINporelculin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1080powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1204"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exitC:\Windows\SysWOW64\cmd.execvtres.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1728C:\Users\admin\AppData\Local\Temp\cvtresa.exe C:\Users\admin\AppData\Local\Temp\cvtresa.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cvtresa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1948"C:\Windows\explorer.exe"C:\Windows\explorer.exebinBINporelculin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
2044powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
37 872
Read events
37 678
Write events
177
Delete events
17

Modification events

(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6684) binBINporelculin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\binBINporelculin_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
3
Suspicious files
25
Text files
92
Unknown types
0

Dropped files

PID
Process
Filename
Type
6684binBINporelculin.exeC:\Users\admin\AppData\Local\Temp\ysdwavd4.cmdlinetext
MD5:A2023CEE890E42652E38DA8A2B433108
SHA256:C67DF6A572DB1806C8A1CEE91A7E1A4AB34A39796F4EB6A0B5DEEAB925DBE193
1080powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ww2im1x.vpt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1080powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3fslotwe.wnw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
728cvtres.exeC:\Users\admin\AppData\Local\Temp\RES7966.tmpbinary
MD5:0FCA7229AB9AAA5A708636DB8CF56817
SHA256:7E4DB01BADC11FB4342E5BD01E854CDC51D32B3CEF6EBD7553D61AD5A91BD171
6684binBINporelculin.exeC:\Users\admin\AppData\Local\Temp\ysdwavd4.0.cstext
MD5:1CF3F0999C15EAC869557D14F18A1615
SHA256:78B7B3F5DAEAEA70490A95F5C81569DCDB738154DA522CA33CA4F80ECB4A916F
6772csc.exeC:\Users\admin\AppData\Local\Temp\cvtresa.exeexecutable
MD5:C8D97C1FFF579031EDD6F4846FBF058E
SHA256:46F5FBA5354E36E0CBFC1EC786213ABE1ACA885E1A4E7C4D90F0D1BAAC9B5EFC
6772csc.exeC:\Users\admin\AppData\Local\Temp\CSC3B626C8FA3D74B5EB0D6F0F7CBAF345A.TMPbinary
MD5:6D4E315DDB659723CF270858A8023839
SHA256:F6528EA00F868CA00663E6AEFF8DEF75C2DB4A0B7012D9836F9267679B0E47F0
2044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cvmtlu3p.zu0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_whfachod.fxf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2044powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E07F8261A44795A7066EE8A665AEB626
SHA256:DB3C297BB1E816C84710454B53B52387216059EB016FDE7DC5E9EF51110B4C37
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
33
DNS requests
14
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4708
RUXIMICS.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
92.123.22.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
92.123.22.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.38.123.179:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.09 Kb
whitelisted
GET
200
23.38.123.179:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
binary
21.3 Kb
whitelisted
POST
204
23.38.123.179:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
23.38.123.143:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
unknown
html
129 Kb
whitelisted
4708
RUXIMICS.exe
GET
200
92.123.22.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4708
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4708
RUXIMICS.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
92.123.22.101:80
www.microsoft.com
AKAMAI-AS
AT
whitelisted
5944
MoUsoCoreWorker.exe
92.123.22.101:80
www.microsoft.com
AKAMAI-AS
AT
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.8
  • 23.216.77.25
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 92.123.22.101
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted
conhostlogsdown.sytes.net
  • 179.52.210.122
unknown
www.bing.com
  • 23.38.123.143
  • 23.38.123.179
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2200
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
2200
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
2200
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
binBINporelculin.exe