File name:

remover.exe

Full analysis: https://app.any.run/tasks/6b439e88-a78a-4f6c-b3ea-7c08cbabfc6f
Verdict: Malicious activity
Analysis date: April 05, 2025, 15:51:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

87E4A2C16521DDDEC2373B9FC02C6BEA

SHA1:

BBC786D87F7B79EA059CC4847A806C32CCBDD0F7

SHA256:

9D9541B0628706DDD2426EC56AB69644D090BA1B7E79286A7CC56635CDFD5CF1

SSDEEP:

49152:kAK5EkvjrOCa318J3U0hDlZj9vPRzT+XotxBZhTn9I7oKtKrdVCfC5vpR18t3U0G:NoEkPOCC16hxZj9vZT+XgZOBGdV6C51G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 1764)

    • Creates file in the systems drive root

      • svchost.exe (PID: 1764)

    • Searches for installed software

      • svchost.exe (PID: 7164)

  • INFO

    • Manual execution by a user

      • svchost.exe (PID: 72)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1216)
      • svchost.exe (PID: 1436)
      • svchost.exe (PID: 1508)
      • svchost.exe (PID: 1352)
      • upfc.exe (PID: 1624)
      • svchost.exe (PID: 1744)
      • svchost.exe (PID: 1564)
      • svchost.exe (PID: 1640)
      • svchost.exe (PID: 1080)
      • svchost.exe (PID: 1684)
      • svchost.exe (PID: 1752)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1888)
      • svchost.exe (PID: 2276)
      • svchost.exe (PID: 1964)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 2356)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 2084)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2576)
      • svchost.exe (PID: 2556)
      • svchost.exe (PID: 2720)
      • spoolsv.exe (PID: 2564)
      • svchost.exe (PID: 2596)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2588)
      • OfficeClickToRun.exe (PID: 2944)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2368)
      • svchost.exe (PID: 2428)
      • svchost.exe (PID: 2960)
      • svchost.exe (PID: 2980)
      • svchost.exe (PID: 3036)
      • svchost.exe (PID: 3064)
      • svchost.exe (PID: 2208)
      • svchost.exe (PID: 2308)
      • svchost.exe (PID: 3140)
      • svchost.exe (PID: 3284)
      • sppsvc.exe (PID: 3656)
      • svchost.exe (PID: 3720)
      • svchost.exe (PID: 3752)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 2952)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 4372)
      • svchost.exe (PID: 2120)
      • svchost.exe (PID: 4224)
      • svchost.exe (PID: 4476)
      • TrustedInstaller.exe (PID: 5008)
      • svchost.exe (PID: 4788)
      • svchost.exe (PID: 4012)
      • svchost.exe (PID: 3248)
      • svchost.exe (PID: 3604)
      • svchost.exe (PID: 5188)
      • svchost.exe (PID: 5712)
      • svchost.exe (PID: 5860)
      • svchost.exe (PID: 5284)
      • svchost.exe (PID: 7164)
      • svchost.exe (PID: 3944)
      • svchost.exe (PID: 6736)
      • svchost.exe (PID: 5372)
      • svchost.exe (PID: 1132)
      • svchost.exe (PID: 1224)
      • svchost.exe (PID: 1048)
      • svchost.exe (PID: 1104)
      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 3704)
      • svchost.exe (PID: 6096)
      • svchost.exe (PID: 4752)
      • svchost.exe (PID: 1304)
      • uhssvc.exe (PID: 6344)
      • svchost.exe (PID: 2484)
      • svchost.exe (PID: 6540)
      • svchost.exe (PID: 3700)

    • Reads the time zone

      • svchost.exe (PID: 1304)
      • svchost.exe (PID: 2596)
      • svchost.exe (PID: 5284)

    • Creates files in the program directory

      • svchost.exe (PID: 2356)
      • PLUGScheduler.exe (PID: 4124)
      • svchost.exe (PID: 5284)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 1080)
      • uhssvc.exe (PID: 6344)
      • svchost.exe (PID: 3944)

    • Checks proxy server information

      • svchost.exe (PID: 3604)

    • Checks supported languages

      • TrustedInstaller.exe (PID: 5008)
      • OfficeClickToRun.exe (PID: 2944)
      • uhssvc.exe (PID: 6344)

    • Reads the computer name

      • TrustedInstaller.exe (PID: 5008)
      • PLUGScheduler.exe (PID: 4124)
      • uhssvc.exe (PID: 6344)

    • Reads security settings of Internet Explorer

      • sihost.exe (PID: 3920)
      • svchost.exe (PID: 4752)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2944)

    • Application launched itself

      • msedge.exe (PID: 7156)
      • msedge.exe (PID: 7124)

    • Reads the software policy settings

      • SIHClient.exe (PID: 6548)

    • Reads Environment values

      • uhssvc.exe (PID: 6344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2077:11:26 14:06:38+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 1331712
InitializedDataSize: 6144
UninitializedDataSize: -
EntryPoint: 0x1470fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: remover
FileVersion: 1.0.0.0
InternalName: remover.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: remover.exe
ProductName: remover
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
233
Monitored processes
90
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs upfc.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs spoolsv.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs officeclicktorun.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs sppsvc.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs sihost.exe no specs svchost.exe no specs svchost.exe no specs plugscheduler.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs trustedinstaller.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs taskhostw.exe no specs svchost.exe no specs sihclient.exe msedge.exe no specs msedge.exe no specs svchost.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs uhssvc.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs taskhostw.exe no specs taskhostw.exe no specs wmiadap.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72C:\WINDOWS\system32\svchost.exe -k RPCSS -pC:\Windows\System32\svchost.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcepmap.dll
c:\windows\system32\wldp.dll
496C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
804taskhostw.exeC:\Windows\System32\taskhostw.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
924taskhostw.exe -RegisterDevice -SettingChange -FullC:\Windows\System32\taskhostw.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
1048C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1080C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s DsmSvcC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1104C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhostsC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1132C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork -pC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1216C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbServiceC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1224C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvcC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
84 228
Read events
81 376
Write events
2 623
Delete events
229

Modification events

(PID) Process:(496) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
Operation:writeName:InstanceID
Value:
f74ba07d-95e5-4023-91d2-ea899a0
(PID) Process:(496) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
Operation:writeName:GlassSessionId
Value:
1
(PID) Process:(496) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:WinStationsDisabled
Value:
0
(PID) Process:(72) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords\RPC-EPMap
Operation:writeName:Collection
Value:
87000100
(PID) Process:(72) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords\RPC-EPMap
Operation:writeName:Collection
Value:
87000200
(PID) Process:(1048) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState
Operation:writeName:PolicyState
Value:
0
(PID) Process:(1080) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DsmSvc\State
Operation:writeName:SessionNumber
Value:
3C000000
(PID) Process:(1304) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\State
Operation:delete valueName:LastRestoreId
Value:
(PID) Process:(1304) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\State
Operation:writeName:6005BT
Value:
40A486BA42A6DB01
(PID) Process:(1304) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
Operation:writeName:LastAliveStamp
Value:
D0BAAD0B
Executable files
0
Suspicious files
189
Text files
13
Unknown types
1

Dropped files

PID
Process
Filename
Type
1972svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat
MD5:
SHA256:
1972svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-18.dat
MD5:
SHA256:
2952svchost.exeC:\Windows\System32\sru\SRUDB.dat
MD5:
SHA256:
1304svchost.exeC:\Windows\System32\winevt\Logs\Security.evtx
MD5:
SHA256:
1272svchost.exeC:\Windows\Tasks\SA.DATbinary
MD5:F1A6CD5ADAAB953A6764EA364E17BFB8
SHA256:12DC5CCD7FECAFE070976A1916E9672E3D53085633C86957AEE305CCC584184C
1304svchost.exeC:\Windows\ServiceState\EventLog\Data\lastalive0.datbinary
MD5:E6670A3A6070EA490870E2DD6C48F2D2
SHA256:DB5A4C1E6099CFAEDC6828AB0B0FAD6E8A93A3EED16792385280031240CE5AE1
1304svchost.exeC:\Windows\ServiceState\EventLog\Data\lastalive1.datbinary
MD5:216C3359A067890C260AFD765E29D5AA
SHA256:FF274C5A0D577944FFB40D4D4D2187C156B8F7C920FF889A7DBCE12475E883D9
2356svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal
MD5:
SHA256:
2356svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
MD5:
SHA256:
1972svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-18.datbinary
MD5:F9802641034B7FB8C6A8FF2CBDECC96D
SHA256:FA05031BF88D39AC4344DD21BF837A2020CD71E9F606FD34D809431698227E5C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
66
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.238.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5188
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6548
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6548
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5308
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7160
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5564
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.32.238.34:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
172.172.255.216:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
224.0.0.251:5353
unknown
224.0.0.252:5355
whitelisted
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.32.238.34
  • 2.19.198.194
whitelisted
google.com
  • 142.250.185.206
whitelisted
client.wns.windows.com
  • 172.172.255.216
  • 172.172.255.217
whitelisted
self.events.data.microsoft.com
  • 40.79.173.41
  • 20.189.173.18
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.132
  • 20.190.160.67
  • 40.126.32.136
  • 20.190.160.14
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
go.microsoft.com
  • 2.19.106.8
  • 95.100.186.9
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
remover.exe