File name:

a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0

Full analysis: https://app.any.run/tasks/ba8408ae-43d8-41aa-8cb7-407fa5fb5199
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 26, 2024, 10:30:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
gh0st
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CECAF426ADBD95EA44143BA00B5BFB7D

SHA1:

55317A43B367CCA39F612273EF308FB9944176CB

SHA256:

A13E52F9F4DC48C6FCF10DC330EC5252E6DF6294ED0854AA3641B5B145E883B0

SSDEEP:

98304:vX5UXVxdjtPSVSg58bEvnB3H/eyJHEAsc3GMk2qP6C+fVUC:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)
      • svchost.exe (PID: 2160)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)

    • Creates a writable file in the system directory

      • svchost.exe (PID: 2160)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)
      • WerFault.exe (PID: 5060)
      • WerFault.exe (PID: 2308)
      • WerFault.exe (PID: 5784)
      • WerFault.exe (PID: 3708)
      • WerFault.exe (PID: 1676)
      • WerFault.exe (PID: 5852)
      • WerFault.exe (PID: 824)
      • WerFault.exe (PID: 4720)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 2396)
      • WerFault.exe (PID: 5276)
      • WerFault.exe (PID: 1684)
      • WerFault.exe (PID: 4004)
      • WerFault.exe (PID: 1728)
      • WerFault.exe (PID: 724)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 1808)
      • WerFault.exe (PID: 3116)
      • WerFault.exe (PID: 3756)
      • WerFault.exe (PID: 4560)
      • WerFault.exe (PID: 3592)
      • WerFault.exe (PID: 4640)
      • WerFault.exe (PID: 1640)
      • WerFault.exe (PID: 2696)
      • WerFault.exe (PID: 5380)

    • Starts CMD.EXE for self-deleting

      • svchost.exe (PID: 2160)

    • Creates or modifies Windows services

      • svchos.exe (PID: 2540)

    • Connects to the CnC server

      • TXPlatforn.exe (PID: 708)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 2160)
      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)

    • Hides command output

      • cmd.exe (PID: 3592)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2160)

    • Executes as Windows Service

      • TXPlatforn.exe (PID: 1512)

    • Application launched itself

      • TXPlatforn.exe (PID: 1512)

    • Creates or modifies Windows services

      • TXPlatforn.exe (PID: 708)

    • Mutex name with non-standard characters

      • svchos.exe (PID: 2540)

    • Drops a system driver (possible attempt to evade defenses)

      • TXPlatforn.exe (PID: 708)

    • Creates files in the driver directory

      • TXPlatforn.exe (PID: 708)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3592)

    • Contacting a server suspected of hosting an CnC

      • TXPlatforn.exe (PID: 708)

    • Connects to unusual port

      • TXPlatforn.exe (PID: 708)

  • INFO

    • Checks supported languages

      • svchost.exe (PID: 2160)
      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)
      • TXPlatforn.exe (PID: 1512)
      • TXPlatforn.exe (PID: 708)
      • svchos.exe (PID: 2540)

    • Reads the computer name

      • svchost.exe (PID: 2160)
      • TXPlatforn.exe (PID: 1512)
      • svchos.exe (PID: 2540)
      • TXPlatforn.exe (PID: 708)

    • Create files in a temporary directory

      • a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe (PID: 4924)

    • Reads CPU info

      • TXPlatforn.exe (PID: 708)

    • Reads the software policy settings

      • WerFault.exe (PID: 5784)
      • WerFault.exe (PID: 3708)
      • WerFault.exe (PID: 1676)
      • WerFault.exe (PID: 5852)
      • WerFault.exe (PID: 824)
      • WerFault.exe (PID: 2396)
      • WerFault.exe (PID: 4720)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 5060)
      • WerFault.exe (PID: 2308)
      • WerFault.exe (PID: 1684)
      • WerFault.exe (PID: 4940)
      • WerFault.exe (PID: 4004)
      • WerFault.exe (PID: 5276)
      • WerFault.exe (PID: 1728)
      • WerFault.exe (PID: 724)
      • WerFault.exe (PID: 1808)
      • WerFault.exe (PID: 3756)
      • WerFault.exe (PID: 3116)
      • WerFault.exe (PID: 5380)
      • WerFault.exe (PID: 3592)
      • WerFault.exe (PID: 1640)
      • WerFault.exe (PID: 4640)
      • WerFault.exe (PID: 2696)
      • WerFault.exe (PID: 4560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:10:10 15:16:58+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 520192
InitializedDataSize: 974848
UninitializedDataSize: -
EntryPoint: 0x60e35
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.9.8.9
ProductVersionNumber: 8.9.8.9
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 8.9.8.9
FileDescription: 应用程序
ProductName: 应用程序
ProductVersion: 8.9.8.9
CompanyName: Osama bin Mohammed bin Awad bin Laden
LegalCopyright: Osama bin Mohammed bin Awad bin Laden
Comments: 应用程序
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
207
Monitored processes
35
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe svchost.exe txplatforn.exe no specs cmd.exe no specs svchos.exe txplatforn.exe conhost.exe no specs hd_a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe no specs ping.exe no specs werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe werfault.exe a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Users\admin\Desktop\a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe" C:\Users\admin\Desktop\a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeexplorer.exe
User:
admin
Company:
Osama bin Mohammed bin Awad bin Laden
Integrity Level:
MEDIUM
Description:
应用程序
Exit code:
3221226540
Version:
8.9.8.9
Modules
Images
c:\users\admin\desktop\a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
708C:\WINDOWS\SysWOW64\TXPlatforn.exe -acsiC:\Windows\SysWOW64\TXPlatforn.exe
TXPlatforn.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\syswow64\txplatforn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
724C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5108 -s 1340C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
824C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3912 -s 1308C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512C:\WINDOWS\SysWOW64\TXPlatforn.exe -autoC:\Windows\SysWOW64\TXPlatforn.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\syswow64\txplatforn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1640C:\WINDOWS\SysWOW64\WerFault.exe -u -p 368 -s 1312C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1676C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5964 -s 1328C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1684C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3656 -s 1220C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1728C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4428 -s 1320C:\Windows\SysWOW64\WerFault.exe
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
150 846
Read events
150 627
Write events
144
Delete events
75

Modification events

(PID) Process:(2160) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:writeName:MarkTime
Value:
2024-05-26 10:31
(PID) Process:(2540) svchos.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é
Operation:writeName:Description
Value:
¹ÜÀí»ùÓÚ×é¼þ¶ÔÏóÄ£Ð͵ĺËÐÄ·þÎñ¡£Èç¹û·þÎñ±»½ûÓ㬼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐС£
(PID) Process:(2540) svchos.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters
Operation:writeName:ServiceDll
Value:
C:\WINDOWS\system32\1128265.txt
(PID) Process:(2540) svchos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:writeName:Ö÷¶¯·ÀÓù·þÎñÄ£¿é
Value:
Ö÷¶¯·ÀÓù·þÎñÄ£¿é
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Type
Value:
2
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Start
Value:
1
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ErrorControl
Value:
0
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ImagePath
Value:
system32\DRIVERS\QAssist.sys
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DisplayName
Value:
QAssist
(PID) Process:(708) TXPlatforn.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Group
Value:
FSFilter Activity Monitor
Executable files
18
Suspicious files
51
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Program Files\CCleaner\CCleaner64.exe
MD5:
SHA256:
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exe
MD5:
SHA256:
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
MD5:
SHA256:
4940WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ö÷¶¯·ÀÓù·þÎñÄ£¿é_bfa9c89a2c7ef8244642b0c2c2891dfe1b4f1c1_b12f9dcd_ae61f9a1-1c00-4e1c-8fa7-874973c0058d\Report.wer
MD5:
SHA256:
2160svchost.exeC:\WINDOWS\SysWOW64\TXPlatforn.exeexecutable
MD5:A4329177954D4104005BCE3020E5EF59
SHA256:6156D003D54DCF2EE92F21BD6E7A6A7F91730BD2804381260BCABE465ABE6DDD
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\svchos.exeexecutable
MD5:3B377AD877A942EC9F60EA285F7119A2
SHA256:62954FDF65E629B39A29F539619D20691332184C6B6BE5A826128A8E759BFA84
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\HD_X.datexecutable
MD5:BEF65A543985DBBDB7FA695669A33F3E
SHA256:AF7D313B323EC19EDE7CD1C8E26404513CEDA6490473F2DB83D8B517F6F02461
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:A4329177954D4104005BCE3020E5EF59
SHA256:6156D003D54DCF2EE92F21BD6E7A6A7F91730BD2804381260BCABE465ABE6DDD
5060WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ö÷¶¯·ÀÓù·þÎñÄ£¿é_bfa9c89a2c7ef8244642b0c2c2891dfe1b4f1c1_b12f9dcd_d328a241-224a-42f4-a2a7-49ae02236334\Report.wer
MD5:
SHA256:
4924a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0.exeC:\Users\admin\AppData\Local\Temp\RCX3DA4.tmpexecutable
MD5:5A998EBD0A8173CBE38781FDBCAA8EE6
SHA256:F96E965FDAE81E4950AF31C62F5B8227D4C348CC7F5A3FC819BE948BEFA53C8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
138
DNS requests
30
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
104.85.249.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5380
svchost.exe
GET
200
104.85.249.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4540
RUXIMICS.exe
GET
200
104.85.249.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2160
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
5380
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4540
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4928
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
4704
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
6104
Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
GET
301
163.181.92.205:80
http://www.taobao.com/help/getip.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
whitelisted
5380
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4540
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5380
svchost.exe
104.85.249.145:80
crl.microsoft.com
Akamai International B.V.
PL
unknown
5140
MoUsoCoreWorker.exe
104.85.249.145:80
crl.microsoft.com
Akamai International B.V.
PL
unknown
4540
RUXIMICS.exe
104.85.249.145:80
crl.microsoft.com
Akamai International B.V.
PL
unknown
5380
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5140
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 104.85.249.145
  • 104.85.249.160
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
hackerinvasion.f3322.net
  • 49.13.77.253
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.taobao.com
  • 163.181.92.205
  • 163.181.92.206
malicious
watson.events.data.microsoft.com
  • 52.168.117.173
  • 20.189.173.22
  • 104.208.16.94
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

Found threats are available for the paid subscriptions
29 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a13e52f9f4dc48c6fcf10dc330ec5252e6df6294ed0854aa3641b5b145e883b0