File name:

a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0

Full analysis: https://app.any.run/tasks/ba8408ae-43d8-41aa-8cb7-407fa5fb5199
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 26, 2024, 10:30:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
gh0st
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CECAF426ADBD95EA44143BA00B5BFB7D

SHA1:

55317A43B367CCA39F612273EF308FB9944176CB

SHA256:

A13E52F9F4DC48C6FCF10DC330EC5252E6DF6294ED0854AA3641B5B145E883B0

SSDEEP:

98304:vX5UXVxdjtPSVSg58bEvnB3H/eyJHEAsc3GMk2qP6C+fVUC:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)
      • svchost.exe (PID: 2160)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)

    • Creates a writable file in the system directory

      • svchost.exe (PID: 2160)
      • svchos.exe (PID: 2540)
      • TXPlatforn.exe (PID: 708)
      • WerFault.exe (PID: 5060)
      • WerFault.exe (PID: 2308)
      • WerFault.exe (PID: 5784)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 5852)
      • WerFault.exe (PID: 4720)
      • WerFault.exe (PID: 3708)
      • WerFault.exe (PID: 1676)
      • WerFault.exe (PID: 824)
      • WerFault.exe (PID: 4004)
      • WerFault.exe (PID: 5276)
      • WerFault.exe (PID: 1728)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 2396)
      • WerFault.exe (PID: 1684)
      • WerFault.exe (PID: 3116)
      • WerFault.exe (PID: 3756)
      • WerFault.exe (PID: 3592)
      • WerFault.exe (PID: 724)
      • WerFault.exe (PID: 1808)
      • WerFault.exe (PID: 4640)
      • WerFault.exe (PID: 2696)
      • WerFault.exe (PID: 4560)
      • WerFault.exe (PID: 5380)
      • WerFault.exe (PID: 1640)

    • Starts CMD.EXE for self-deleting

      • svchost.exe (PID: 2160)

    • Creates or modifies Windows services

      • svchos.exe (PID: 2540)

    • Connects to the CnC server

      • TXPlatforn.exe (PID: 708)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 2160)
      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)

    • Executes as Windows Service

      • TXPlatforn.exe (PID: 1512)

    • Hides command output

      • cmd.exe (PID: 3592)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2160)

    • Application launched itself

      • TXPlatforn.exe (PID: 1512)

    • Mutex name with non-standard characters

      • svchos.exe (PID: 2540)

    • Creates files in the driver directory

      • TXPlatforn.exe (PID: 708)

    • Drops a system driver (possible attempt to evade defenses)

      • TXPlatforn.exe (PID: 708)

    • Creates or modifies Windows services

      • TXPlatforn.exe (PID: 708)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3592)

    • Contacting a server suspected of hosting an CnC

      • TXPlatforn.exe (PID: 708)

    • Connects to unusual port

      • TXPlatforn.exe (PID: 708)

  • INFO

    • Create files in a temporary directory

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)

    • Checks supported languages

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)
      • svchost.exe (PID: 2160)
      • TXPlatforn.exe (PID: 1512)
      • svchos.exe (PID: 2540)
      • TXPlatforn.exe (PID: 708)

    • Reads the computer name

      • svchost.exe (PID: 2160)
      • TXPlatforn.exe (PID: 1512)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)

    • Reads the software policy settings

      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 5060)
      • WerFault.exe (PID: 5784)
      • WerFault.exe (PID: 2308)
      • WerFault.exe (PID: 1676)
      • WerFault.exe (PID: 5852)
      • WerFault.exe (PID: 824)
      • WerFault.exe (PID: 1684)
      • WerFault.exe (PID: 5276)
      • WerFault.exe (PID: 4720)
      • WerFault.exe (PID: 1728)
      • WerFault.exe (PID: 3708)
      • WerFault.exe (PID: 2396)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 3116)
      • WerFault.exe (PID: 4004)
      • WerFault.exe (PID: 3756)
      • WerFault.exe (PID: 4560)
      • WerFault.exe (PID: 3592)
      • WerFault.exe (PID: 724)
      • WerFault.exe (PID: 5380)
      • WerFault.exe (PID: 1808)
      • WerFault.exe (PID: 4640)
      • WerFault.exe (PID: 1640)
      • WerFault.exe (PID: 2696)

    • Reads CPU info

      • TXPlatforn.exe (PID: 708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:10:10 15:16:58+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 520192
InitializedDataSize: 974848
UninitializedDataSize: -
EntryPoint: 0x60e35
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.9.8.9
ProductVersionNumber: 8.9.8.9
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 8.9.8.9
FileDescription: 应用程序
ProductName: 应用程序
ProductVersion: 8.9.8.9
CompanyName: Osama bin Mohammed bin Awad bin Laden
LegalCopyright: Osama bin Mohammed bin Awad bin Laden
Comments: 应用程序
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
207
Monitored processes
35
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe svchost.exe txplatforn.exe no specs cmd.exe no specs svchos.exe txplatforn.exe conhost.exe no specs hd_a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe no specs ping.exe no specs werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Users\admin\Desktop\a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe" C:\Users\admin\Desktop\a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeexplorer.exe
User:
admin
Company:
Osama bin Mohammed bin Awad bin Laden
Integrity Level:
MEDIUM
Description:
应用程序
Exit code:
3221226540
Version:
8.9.8.9
Modules
Images
c:\users\admin\desktop\a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
708C:\WINDOWS\SysWOW64\TXPlatforn.exe -acsiC:\Windows\SysWOW64\TXPlatforn.exe
TXPlatforn.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\syswow64\txplatforn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
724C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5108 -s 1340C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
824C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3912 -s 1308C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512C:\WINDOWS\SysWOW64\TXPlatforn.exe -autoC:\Windows\SysWOW64\TXPlatforn.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\syswow64\txplatforn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1640C:\WINDOWS\SysWOW64\WerFault.exe -u -p 368 -s 1312C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1676C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5964 -s 1328C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1684C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3656 -s 1220C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1728C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4428 -s 1320C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
150 846
Read events
150 627
Write events
144
Delete events
75

Modification events

(PID) Process:(2160) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:writeName:MarkTime
Value:
2024-05-26 10:31
(PID) Process:(2540) svchos.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é
Operation:writeName:Description
Value:
¹ÜÀí»ùÓÚ×é¼þ¶ÔÏóÄ£Ð͵ĺËÐÄ·þÎñ¡£Èç¹û·þÎñ±»½ûÓ㬼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐС£
(PID) Process:(2540) svchos.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters
Operation:writeName:ServiceDll
Value:
C:\WINDOWS\system32\1128265.txt
(PID) Process:(2540) svchos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:writeName:Ö÷¶¯·ÀÓù·þÎñÄ£¿é
Value:
Ö÷¶¯·ÀÓù·þÎñÄ£¿é
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Type
Value:
2
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Start
Value:
1
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ErrorControl
Value:
0
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ImagePath
Value:
system32\DRIVERS\QAssist.sys
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DisplayName
Value:
QAssist
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Group
Value:
FSFilter Activity Monitor
Executable files
18
Suspicious files
51
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Program Files\CCleaner\CCleaner64.exe
MD5:
SHA256:
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe
MD5:
SHA256:
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
MD5:
SHA256:
4940WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ö÷¶¯·ÀÓù·þÎñÄ£¿é_bfa9c89a2c7ef8244642b0c2c2891dfe1b4f1c1_b12f9dcd_ae61f9a1-1c00-4e1c-8fa7-874973c0058d\Report.wer
MD5:
SHA256:
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\svchos.exeexecutable
MD5:3B377AD877A942EC9F60EA285F7119A2
SHA256:62954FDF65E629B39A29F539619D20691332184C6B6BE5A826128A8E759BFA84
2540svchos.exeC:\WINDOWS\SysWOW64\1128265.txtexecutable
MD5:512545BBD09FD2D3292796F402042028
SHA256:BE3610F970C1D461365682EE6805D67180B29909B201939263CB3B6AB33E9DD1
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\RCX3AC4.tmpexecutable
MD5:5F26277CD1EACEA542A436924A7C57F0
SHA256:47920E1DB7037E012A268A04D2C8E841C877A898EF417946102C3697A1D73E5E
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\X.icoimage
MD5:7674A834A680252C5086098DD5DFCFA2
SHA256:03340B7FED8FD598DE4999E8FCD8185C62BDEA58126AE91CA3749728D2A8C612
5060WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ö÷¶¯·ÀÓù·þÎñÄ£¿é_bfa9c89a2c7ef8244642b0c2c2891dfe1b4f1c1_b12f9dcd_d328a241-224a-42f4-a2a7-49ae02236334\Report.wer
MD5:
SHA256:
2540svchos.exeC:\WINDOWS\SysWOW64\ini.initext
MD5:A935B44A0DDCCC80396F422C895375BE
SHA256:01DE61508B1FA3AE543507F1BFEB6315775843B4981CDB581868D66C22CE7DBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
138
DNS requests
30
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5380
svchost.exe
GET
200
104.85.249.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5964
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
636
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
4928
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
104.85.249.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4540
RUXIMICS.exe
GET
200
104.85.249.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5380
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4540
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2160
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
whitelisted
5380
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4540
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5380
svchost.exe
104.85.249.145:80
crl.microsoft.com
Akamai International B.V.
PL
unknown
5140
MoUsoCoreWorker.exe
104.85.249.145:80
crl.microsoft.com
Akamai International B.V.
PL
unknown
4540
RUXIMICS.exe
104.85.249.145:80
crl.microsoft.com
Akamai International B.V.
PL
unknown
5380
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5140
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 104.85.249.145
  • 104.85.249.160
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
hackerinvasion.f3322.net
  • 49.13.77.253
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.taobao.com
  • 163.181.92.205
  • 163.181.92.206
malicious
watson.events.data.microsoft.com
  • 52.168.117.173
  • 20.189.173.22
  • 104.208.16.94
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

Found threats are available for the paid subscriptions
29 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0