File name:

lol.zip

Full analysis: https://app.any.run/tasks/069c51a6-12f6-445b-90d3-350499f4c359
Verdict: Malicious activity
Analysis date: April 11, 2025, 17:24:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
arch-exec
arch-scr
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

C6AE19E2E21DE8605CE56E5C65B227A7

SHA1:

8CAC2EFC5F7CABA127177BA489765F54FF420D0D

SHA256:

95BB4DDCE1D9E4F8F60F367530C60BCD6B6F7C31C8E7B81733E85BC43918588D

SSDEEP:

49152:bxugY2K22xVXoBzieM3tQIzwU6Nd/l7e+cdXsz/Z6quS7ggA1u69utgnBlfD7lbQ:bYUyyB8zmNdNFdzZ6qAY8LfflTEk7FeV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 7940)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 4268)

    • Found IP address in command line

      • powershell.exe (PID: 8084)
      • powershell.exe (PID: 4068)

    • Execution of CURL command

      • cmd.exe (PID: 7940)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8068)
      • cmd.exe (PID: 7940)
      • cmd.exe (PID: 7224)
      • cmd.exe (PID: 6576)
      • cmd.exe (PID: 7200)
      • cmd.exe (PID: 6640)
      • cmd.exe (PID: 7884)
      • cmd.exe (PID: 7964)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 728)
      • cmd.exe (PID: 7512)
      • cmd.exe (PID: 5376)
      • cmd.exe (PID: 4572)
      • cmd.exe (PID: 8180)
      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7488)
      • cmd.exe (PID: 4728)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 7940)
      • net.exe (PID: 8184)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7940)

    • Get information on the list of running processes

      • cmd.exe (PID: 7052)
      • cmd.exe (PID: 7540)
      • cmd.exe (PID: 7940)
      • cmd.exe (PID: 5728)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7940)
      • cmd.exe (PID: 4696)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 7264)
      • mshta.exe (PID: 5344)
      • mshta.exe (PID: 2136)
      • mshta.exe (PID: 6852)
      • mshta.exe (PID: 3364)
      • mshta.exe (PID: 6540)
      • mshta.exe (PID: 616)
      • mshta.exe (PID: 7708)
      • mshta.exe (PID: 4424)
      • mshta.exe (PID: 7548)
      • mshta.exe (PID: 7336)
      • mshta.exe (PID: 7916)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5508)
      • WerFault.exe (PID: 7348)
      • WerFault.exe (PID: 7528)
      • WerFault.exe (PID: 864)
      • WerFault.exe (PID: 1240)
      • WerFault.exe (PID: 8028)
      • WerFault.exe (PID: 2600)
      • WerFault.exe (PID: 7220)
      • WerFault.exe (PID: 7560)
      • WerFault.exe (PID: 7628)
      • WerFault.exe (PID: 6760)

    • Executes application which crashes

      • mshta.exe (PID: 7264)
      • mshta.exe (PID: 5344)
      • mshta.exe (PID: 2136)
      • mshta.exe (PID: 6852)
      • mshta.exe (PID: 3364)
      • mshta.exe (PID: 7708)
      • mshta.exe (PID: 6540)
      • mshta.exe (PID: 616)
      • mshta.exe (PID: 4424)
      • mshta.exe (PID: 7548)
      • mshta.exe (PID: 7336)
      • mshta.exe (PID: 7916)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4268)

    • Manual execution by a user

      • cmd.exe (PID: 7940)

    • Execution of CURL command

      • cmd.exe (PID: 8008)

    • Reads the computer name

      • curl.exe (PID: 8024)

    • Checks supported languages

      • curl.exe (PID: 8024)
      • chcp.com (PID: 6068)
      • chcp.com (PID: 3896)
      • mode.com (PID: 7232)
      • chcp.com (PID: 8056)
      • chcp.com (PID: 8040)
      • chcp.com (PID: 6744)
      • chcp.com (PID: 2064)
      • chcp.com (PID: 6592)
      • chcp.com (PID: 7956)
      • chcp.com (PID: 7244)
      • chcp.com (PID: 7580)
      • chcp.com (PID: 6640)
      • chcp.com (PID: 8024)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7940)
      • cmd.exe (PID: 4696)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7232)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1240)

    • Checks proxy server information

      • mshta.exe (PID: 7264)
      • mshta.exe (PID: 5344)
      • mshta.exe (PID: 2136)
      • mshta.exe (PID: 6852)
      • mshta.exe (PID: 3364)
      • mshta.exe (PID: 7708)
      • mshta.exe (PID: 6540)
      • mshta.exe (PID: 616)
      • mshta.exe (PID: 4424)
      • mshta.exe (PID: 7548)
      • mshta.exe (PID: 7336)
      • mshta.exe (PID: 7916)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5508)
      • WerFault.exe (PID: 7348)
      • WerFault.exe (PID: 7528)
      • WerFault.exe (PID: 1240)
      • WerFault.exe (PID: 864)
      • WerFault.exe (PID: 2600)
      • WerFault.exe (PID: 7220)
      • WerFault.exe (PID: 7628)
      • WerFault.exe (PID: 6760)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5344)
      • mshta.exe (PID: 2136)
      • mshta.exe (PID: 6852)
      • mshta.exe (PID: 7708)
      • mshta.exe (PID: 6540)
      • mshta.exe (PID: 616)
      • mshta.exe (PID: 4424)
      • mshta.exe (PID: 7916)
      • mshta.exe (PID: 7336)

    • Reads the software policy settings

      • slui.exe (PID: 7284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:09 05:03:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: lang/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
255
Monitored processes
112
Malicious processes
1
Suspicious processes
13

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs curl.exe cmd.exe no specs powershell.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs mode.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs slui.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616mshta.exe "C:\Users\admin\Desktop\New folder\Launcher.hta"C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
3221225477
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
684powershell -Command "(Get-FileHash Options.ini -Algorithm MD5).Hash"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
728C:\WINDOWS\system32\cmd.exe /c powershell -Command "(Get-FileHash Options.ini -Algorithm MD5).Hash"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
864C:\WINDOWS\system32\WerFault.exe -u -p 3364 -s 1932C:\Windows\System32\WerFault.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
1196powershell -Command "[console]::title='WeModPatcher'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240powershell -Command "[math]::Round((24 - '1280x680'.length) / 2)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1240C:\WINDOWS\system32\WerFault.exe -u -p 6852 -s 1948C:\Windows\System32\WerFault.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
1300reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /V "AppsUseLightTheme"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1616C:\WINDOWS\system32\cmd.exe /c mshta.exe "C:\Users\admin\Desktop\New folder\Launcher.hta"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1660tasklist /NH /FI "WindowTitle eq "WeModPatcher""C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
128 383
Read events
128 364
Write events
19
Delete events
0

Modification events

(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\lol.zip
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
0
Suspicious files
34
Text files
70
Unknown types
2

Dropped files

PID
Process
Filename
Type
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\lang\lang_ru.initext
MD5:0CA2E71373B332E16C4DD703DD55D7D2
SHA256:B2AD6A04B335B3421A7B180B5AFB3CFCDF965380F4AC46F0652BEE5F8BD982FD
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\lang\lang_zh-CN.initext
MD5:5CE9ED3CA85C044436445B9484576556
SHA256:73235BBCAF1601E3A1B0B96C59646028B8E671C04A97C37239454D2E474E22B2
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\lang\lang_pt.initext
MD5:98D8CB666E73522D7478520D685183CC
SHA256:E56FB42EA5361EDF06D352ADCB3C46CD2A675C59D455B2FAF7D14727ACA1ADE3
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\lang\lang_es.initext
MD5:EFE851D125CBF4EA90D87CF1F469E331
SHA256:5D75679F3A5CD60EA5700C5F83AF9411D404B1A6077EB994D90597BDFE9855D9
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\lang\lang_de.initext
MD5:56F718D833D85B64D368A746CEC7D311
SHA256:9296A56AE3F33183E5DD78159EEDC14E7C55D58B6FF984D30480927F3491A0A6
1196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yckeurcy.z1m.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\WeModPatcher.icoimage
MD5:CCB4F0739B87DF9D7C9D0BEF63014E53
SHA256:1F7DDFDA33CC1FF03F897AACAEDFB33A97B6430811089B96C136F362E90073F6
8084powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5CF8802F273AA9BC372F4C382FBD2DA3
SHA256:68C9CBFCE985C72E09518765FD1D6F7D150465A807E3C449CCA4C63D58E31F59
1196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_had15wuk.qpn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4268.10480\Options.htahtml
MD5:C0826786D1B58B03C4C134865CD0A0A6
SHA256:E4CDEA4433591103E4C416165B9B7EEBFF79C30B011EEE839064C0621FE0B209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7764
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7764
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
756
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
756
lsass.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5588
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5496
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.180
  • 23.48.23.164
  • 23.48.23.156
  • 23.48.23.176
  • 23.48.23.143
  • 23.48.23.167
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.20
  • 20.190.160.5
  • 20.190.160.14
  • 20.190.160.66
  • 20.190.160.22
  • 40.126.32.68
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lol.zip