File name:

rookie_2.34.1_portable.zip

Full analysis: https://app.any.run/tasks/af3ce437-400c-4b73-bb0f-e3541631b4cd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 14, 2025, 13:56:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
github
loader
rclone
tool
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

F036FCDB20B031D103DDC48A7D4E3FDE

SHA1:

1122163C4DF062887A6943826ED5213242200306

SHA256:

A329B31B2FDA9F72C907B2688F6EE6D64B2E1A9A0D8EFD186B3D64B930550800

SSDEEP:

49152:9dfIxtxcItUxnyKtzSdEkuexaVDsBVZ4hCsgLUUK/JfCVODmXZw9xBjMnfqd7tLk:7fcTRKsdEtexaVIBVZ4h5gYUK/JfCVOS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7508)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7856)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • AndroidSideloader.exe (PID: 3104)
      • AndroidSideloader.exe (PID: 5172)

    • Drops 7-zip archiver for unpacking

      • AndroidSideloader.exe (PID: 3104)

    • Executable content was dropped or overwritten

      • AndroidSideloader.exe (PID: 3104)
      • 7z.exe (PID: 7372)

    • Application launched itself

      • adb.exe (PID: 2416)
      • powershell.exe (PID: 7856)
      • adb.exe (PID: 492)

    • RCLONE has been detected

      • rclone.exe (PID: 7700)
      • rclone.exe (PID: 224)
      • rclone.exe (PID: 6240)
      • rclone.exe (PID: 3032)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 7856)
      • powershell.exe (PID: 8028)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7856)

    • The process executes Powershell scripts

      • powershell.exe (PID: 7856)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7508)

    • Manual execution by a user

      • AndroidSideloader.exe (PID: 3104)
      • powershell.exe (PID: 7856)
      • AndroidSideloader.exe (PID: 5172)

    • Reads the computer name

      • AndroidSideloader.exe (PID: 3104)
      • 7z.exe (PID: 7372)
      • 7z.exe (PID: 7220)
      • rclone.exe (PID: 7700)
      • adb.exe (PID: 7312)
      • rclone.exe (PID: 224)
      • 7z.exe (PID: 7744)
      • AndroidSideloader.exe (PID: 5172)
      • adb.exe (PID: 4344)
      • rclone.exe (PID: 6240)
      • rclone.exe (PID: 3032)
      • 7z.exe (PID: 2144)

    • Checks supported languages

      • AndroidSideloader.exe (PID: 3104)
      • 7z.exe (PID: 7372)
      • 7z.exe (PID: 7220)
      • adb.exe (PID: 7432)
      • adb.exe (PID: 2416)
      • adb.exe (PID: 7312)
      • rclone.exe (PID: 224)
      • rclone.exe (PID: 7700)
      • 7z.exe (PID: 7744)
      • adb.exe (PID: 1236)
      • AndroidSideloader.exe (PID: 5172)
      • adb.exe (PID: 492)
      • adb.exe (PID: 6912)
      • adb.exe (PID: 4344)
      • rclone.exe (PID: 6240)
      • rclone.exe (PID: 3032)
      • adb.exe (PID: 2572)
      • 7z.exe (PID: 2144)

    • Disables trace logs

      • AndroidSideloader.exe (PID: 3104)
      • AndroidSideloader.exe (PID: 5172)

    • Reads the machine GUID from the registry

      • AndroidSideloader.exe (PID: 3104)
      • rclone.exe (PID: 224)
      • AndroidSideloader.exe (PID: 5172)
      • rclone.exe (PID: 3032)

    • Checks proxy server information

      • AndroidSideloader.exe (PID: 3104)
      • slui.exe (PID: 4808)
      • AndroidSideloader.exe (PID: 5172)

    • The sample compiled with english language support

      • AndroidSideloader.exe (PID: 3104)
      • 7z.exe (PID: 7372)

    • Create files in a temporary directory

      • adb.exe (PID: 7312)
      • rclone.exe (PID: 224)
      • rclone.exe (PID: 3032)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:07:16 13:27:44
ZipCRC: 0x418e997e
ZipCompressedSize: 138
ZipUncompressedSize: 190
ZipFileName: Rookie Offline.cmd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
38
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe androidsideloader.exe 7z.exe conhost.exe no specs slui.exe 7z.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs adb.exe no specs THREAT rclone.exe no specs conhost.exe no specs THREAT rclone.exe conhost.exe no specs 7z.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs androidsideloader.exe adb.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs adb.exe no specs THREAT rclone.exe no specs conhost.exe no specs THREAT rclone.exe conhost.exe no specs 7z.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
224"C:\Users\admin\Downloads\rclone\rclone.exe" sync ":http:/meta.7z" "C:\Users\admin\Downloads" --inplace --http-url https://go.vrpyourself.online/ --tpslimit 1.0 --tpslimit-burst 3C:\Users\admin\Downloads\rclone\rclone.exe
AndroidSideloader.exe
User:
admin
Company:
https://rclone.org
Integrity Level:
MEDIUM
Description:
Rclone
Exit code:
0
Version:
1.68.2
Modules
Images
c:\users\admin\downloads\rclone\rclone.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
492"C:\RSL\platform-tools\adb.exe" start-serverC:\RSL\platform-tools\adb.exeAndroidSideloader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerclone.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1236"C:\RSL\platform-tools\adb.exe" kill-serverC:\RSL\platform-tools\adb.exeAndroidSideloader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerclone.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"7z.exe" x "C:\Users\admin\Downloads\meta.7z" -y -o"C:\Users\admin\Downloads\meta" -p"gL59VfgPxoHR" -bsp1C:\Users\admin\Downloads\7z.exeAndroidSideloader.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
24.09
Modules
Images
c:\users\admin\downloads\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeadb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2416"C:\RSL\platform-tools\adb.exe" start-serverC:\RSL\platform-tools\adb.exeAndroidSideloader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2572"C:\RSL\platform-tools\adb.exe" kill-serverC:\RSL\platform-tools\adb.exeAndroidSideloader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeadb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 436
Read events
34 398
Write events
25
Delete events
13

Modification events

(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\rookie_2.34.1_portable.zip
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(7508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
17
Suspicious files
9
Text files
5 014
Unknown types
17

Dropped files

PID
Process
Filename
Type
3104AndroidSideloader.exeC:\Users\admin\Downloads\dependencies.7z
MD5:
SHA256:
3104AndroidSideloader.exeC:\Users\admin\Downloads\7z.dllexecutable
MD5:C4AABD70DC28C9516809B775A30FDD3F
SHA256:882063948D675EE41B5AE68DB3E84879350EC81CF88D15B9BABF2FA08E332863
73727z.exeC:\RSL\platform-tools\aapt.exeexecutable
MD5:0DD164F26A0485592B34F302D7631493
SHA256:DB0BA2050B8F6B37185D2BA458D6E25B565AEFA3F3B96040ADF0A82C3469CE3C
3104AndroidSideloader.exeC:\Users\admin\Downloads\settings.jsonbinary
MD5:04C73B07D0ED027E1053A9F9979652BA
SHA256:5CD5570753D011DFF58DE42946D79E9E53949904FEB7FF793E74A83CAF87CD5C
73727z.exeC:\RSL\platform-tools\package.xmlxml
MD5:7249F82E3BEB8611AD2EF847D08220AA
SHA256:CB808450DB3503B2600270EDB265544D4BDF4516A364F56E59F93E4C0C27F43E
3104AndroidSideloader.exeC:\Users\admin\Downloads\Sideloader Launcher.exeexecutable
MD5:A53A5E70248EB3DA58DEFA74B0554704
SHA256:98BC8CF1C6A59EF70D6431E1E92887984E5B21C8FBC85B4AD23CCC70589C4B1F
7508WinRAR.exeC:\Users\admin\Downloads\CleanupInstall.cmdtext
MD5:9AE44CEBBDE4F44C27801BBF93494C1D
SHA256:57FC69317DE4E7B75A6D45C6037572738F6B48766A6C0D8A47A4F4A4CC533281
73727z.exeC:\RSL\platform-tools\etc1tool.exeexecutable
MD5:7E69E9643C14F5D64BF55407C77E58A1
SHA256:DCAA07F97F357564847D2375FD15C4E39CADB5DB0FC70C6BC971049B65AC646F
73727z.exeC:\RSL\platform-tools\AdbWinApi.dllexecutable
MD5:D79A7C0A425F768FC9F9BCF2AA144D8F
SHA256:1AD523231DE449AF3BA0E8664D3AF332F0C5CC4F09141691CA05E35368FA811A
7508WinRAR.exeC:\Users\admin\Downloads\AddDefenderExceptions.ps1text
MD5:598164F06F8ABD143A91D20C0562EB93
SHA256:A8CDB6D8B436DDCA50FCB94F6A6118E6D3B7F01288F15C676D941EBFFDE76C37
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
37
DNS requests
24
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
8084
SIHClient.exe
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
8084
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
8084
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
3104
AndroidSideloader.exe
GET
302
140.82.121.4:443
https://github.com/VRPirates/rookie/raw/master/Sideloader%20Launcher.exe
unknown
whitelisted
8084
SIHClient.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3104
AndroidSideloader.exe
GET
302
140.82.121.4:443
https://github.com/VRPirates/rookie/raw/master/dependencies.7z
unknown
whitelisted
8084
SIHClient.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
3104
AndroidSideloader.exe
GET
302
140.82.121.4:443
https://github.com/VRPirates/rookie/raw/master/7z64.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
4968
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4940
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4968
svchost.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4968
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4260
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4260
svchost.exe
172.66.2.5:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.67
  • 20.190.160.20
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.132
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
github.com
  • 140.82.121.4
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
3104
AndroidSideloader.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
5172
AndroidSideloader.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rookie_2.34.1_portable.zip