File name:

ExpressVPN.zip

Full analysis: https://app.any.run/tasks/64167941-d0a8-474b-9f31-d9fa4c50015c
Verdict: Malicious activity
Analysis date: February 01, 2025, 01:39:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
github
telegram
python
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

7694AC2F1A1FD0B9B811AA73D3FAC3D5

SHA1:

D41381EB7FE16E58002D7751B92E809D97C528AE

SHA256:

A5CBCDB2E3BE1BA5D455670F26D556E1549C7F80F92305687E45232CE9DB8FA9

SSDEEP:

98304:f6dq6foRanDHPNqQ/K1Nfsdr8d9eVxEGgNoRlwV4dvcuATIVbuR4Y1gifRNMEkQU:c8ZNVPmBLYGh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • ExpressVPNManager.exe (PID: 6244)

    • Process drops python dynamic module

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • ExpressVPNManager.exe (PID: 6244)

    • Executable content was dropped or overwritten

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • _ExpressVPN.exe (PID: 7156)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPNManager.exe (PID: 6244)

    • The process drops C-runtime libraries

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • ExpressVPNManager.exe (PID: 6244)

    • Application launched itself

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)

    • Reads security settings of Internet Explorer

      • ExpressVPN.exe (PID: 7052)
      • _ExpressVPN.exe (PID: 7156)
      • signtool.exe (PID: 5008)
      • signtool.exe (PID: 1544)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPN.exe (PID: 6256)
      • signtool.exe (PID: 4160)
      • _ExpressVPN.exe (PID: 5300)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3288)
      • ExpressVPN.exe (PID: 3832)
      • signtool.exe (PID: 3000)
      • signtool.exe (PID: 4984)
      • signtool.exe (PID: 4512)
      • signtool.exe (PID: 3640)
      • signtool.exe (PID: 5972)

    • Loads Python modules

      • _ExpressVPN.exe (PID: 7156)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPNManager.exe (PID: 6244)
      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)
      • ExpressVPNManager.exe (PID: 5032)

    • The executable file from the user directory is run by the CMD process

      • delcert.exe (PID: 2928)
      • delcert.exe (PID: 4388)
      • signtool.exe (PID: 1544)
      • signtool.exe (PID: 5008)
      • signtool.exe (PID: 4160)
      • delcert.exe (PID: 6300)
      • delcert.exe (PID: 6864)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3288)
      • delcert.exe (PID: 3524)
      • delcert.exe (PID: 4648)
      • signtool.exe (PID: 3000)
      • ExpressVPNManager.exe (PID: 1576)
      • delcert.exe (PID: 880)
      • signtool.exe (PID: 4984)
      • delcert.exe (PID: 2144)
      • signtool.exe (PID: 4512)
      • delcert.exe (PID: 5564)
      • delcert.exe (PID: 4328)
      • signtool.exe (PID: 3640)
      • signtool.exe (PID: 5972)
      • ExpressVPNManager.exe (PID: 188)

    • Starts CMD.EXE for commands execution

      • _ExpressVPN.exe (PID: 7156)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPNManager.exe (PID: 6244)
      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)
      • ExpressVPNManager.exe (PID: 1576)
      • ExpressVPNManager.exe (PID: 5032)
      • ExpressVPNManager.exe (PID: 2624)
      • ExpressVPNManager.exe (PID: 188)

    • Starts a Microsoft application from unusual location

      • signtool.exe (PID: 5008)
      • signtool.exe (PID: 1544)
      • signtool.exe (PID: 4160)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3288)
      • signtool.exe (PID: 3000)
      • signtool.exe (PID: 4984)
      • signtool.exe (PID: 5972)

    • Executes as Windows Service

      • rundll32.exe (PID: 6264)
      • rundll32.exe (PID: 4984)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6308)
      • sc.exe (PID: 5560)

    • Stops a currently running service

      • sc.exe (PID: 6316)
      • sc.exe (PID: 876)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6976)
      • cmd.exe (PID: 4500)

    • There is functionality for taking screenshot (YARA)

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)

    • Executing commands from a ".bat" file

      • ExpressVPNManager.exe (PID: 2624)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4500)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4556)
      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • ExpressVPNManager.exe (PID: 6244)

    • Checks supported languages

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • ExpressVPN.exe (PID: 7052)
      • _ExpressVPN.exe (PID: 7156)
      • delcert.exe (PID: 2928)
      • signtool.exe (PID: 5008)
      • ExpressVPN.exe (PID: 5036)
      • delcert.exe (PID: 4388)
      • signtool.exe (PID: 1544)
      • ExpressVPNManager.exe (PID: 6244)
      • ExpressVPN.exe (PID: 6256)
      • signtool.exe (PID: 4160)
      • _ExpressVPN.exe (PID: 5300)
      • delcert.exe (PID: 6300)
      • delcert.exe (PID: 6864)
      • signtool.exe (PID: 6980)
      • ExpressVPN.exe (PID: 3832)
      • signtool.exe (PID: 3288)
      • delcert.exe (PID: 3524)
      • ExpressVPNManager.exe (PID: 5032)
      • delcert.exe (PID: 4648)
      • signtool.exe (PID: 3000)
      • ExpressVPNManager.exe (PID: 1576)
      • delcert.exe (PID: 880)
      • ExpressVPNManager.exe (PID: 2624)
      • signtool.exe (PID: 4984)
      • delcert.exe (PID: 2144)
      • signtool.exe (PID: 4512)
      • delcert.exe (PID: 5564)
      • delcert.exe (PID: 4328)
      • signtool.exe (PID: 3640)
      • signtool.exe (PID: 5972)
      • Application Hosts Tasks Manager.exe (PID: 5340)
      • ExpressVPNManager.exe (PID: 188)
      • ExpressVPNManager.exe (PID: 6976)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4556)

    • Manual execution by a user

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6828)
      • ExpressVPN.exe (PID: 6996)

    • Create files in a temporary directory

      • ExpressVPN.exe (PID: 6880)
      • ExpressVPN.exe (PID: 6996)
      • _ExpressVPN.exe (PID: 7156)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPNManager.exe (PID: 6244)
      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)

    • Reads the computer name

      • ExpressVPN.exe (PID: 7052)
      • _ExpressVPN.exe (PID: 7156)
      • signtool.exe (PID: 5008)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPNManager.exe (PID: 6244)
      • signtool.exe (PID: 1544)
      • ExpressVPN.exe (PID: 6256)
      • signtool.exe (PID: 4160)
      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3288)
      • ExpressVPNManager.exe (PID: 5032)
      • signtool.exe (PID: 3000)
      • ExpressVPNManager.exe (PID: 1576)
      • ExpressVPNManager.exe (PID: 2624)
      • signtool.exe (PID: 4984)
      • signtool.exe (PID: 4512)
      • signtool.exe (PID: 3640)
      • signtool.exe (PID: 5972)
      • Application Hosts Tasks Manager.exe (PID: 5340)
      • ExpressVPNManager.exe (PID: 188)
      • ExpressVPNManager.exe (PID: 6976)

    • Process checks computer location settings

      • ExpressVPN.exe (PID: 7052)
      • _ExpressVPN.exe (PID: 7156)
      • ExpressVPN.exe (PID: 5036)
      • ExpressVPN.exe (PID: 6256)
      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)

    • Reads the machine GUID from the registry

      • _ExpressVPN.exe (PID: 7156)
      • signtool.exe (PID: 5008)
      • ExpressVPN.exe (PID: 5036)
      • signtool.exe (PID: 1544)
      • ExpressVPNManager.exe (PID: 6244)
      • signtool.exe (PID: 4160)
      • _ExpressVPN.exe (PID: 5300)
      • ExpressVPN.exe (PID: 3832)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3288)
      • ExpressVPNManager.exe (PID: 5032)
      • signtool.exe (PID: 3000)
      • ExpressVPNManager.exe (PID: 1576)
      • ExpressVPNManager.exe (PID: 2624)
      • signtool.exe (PID: 4512)
      • signtool.exe (PID: 4984)
      • signtool.exe (PID: 5972)
      • signtool.exe (PID: 3640)
      • ExpressVPNManager.exe (PID: 188)
      • ExpressVPNManager.exe (PID: 6976)
      • Application Hosts Tasks Manager.exe (PID: 5340)

    • Checks proxy server information

      • signtool.exe (PID: 5008)
      • signtool.exe (PID: 1544)
      • signtool.exe (PID: 4160)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3000)
      • signtool.exe (PID: 3288)
      • signtool.exe (PID: 4984)
      • signtool.exe (PID: 5972)

    • Reads the software policy settings

      • signtool.exe (PID: 5008)
      • signtool.exe (PID: 1544)
      • signtool.exe (PID: 4160)
      • signtool.exe (PID: 6980)
      • signtool.exe (PID: 3288)
      • signtool.exe (PID: 3000)
      • signtool.exe (PID: 4512)
      • signtool.exe (PID: 4984)
      • signtool.exe (PID: 3640)
      • signtool.exe (PID: 5972)

    • Creates files or folders in the user directory

      • ExpressVPNManager.exe (PID: 6244)
      • ExpressVPNManager.exe (PID: 5032)
      • ExpressVPNManager.exe (PID: 1576)
      • ExpressVPN.exe (PID: 3832)
      • ExpressVPNManager.exe (PID: 188)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 6264)
      • rundll32.exe (PID: 4984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:10:12 19:29:12
ZipCRC: 0x2b0d384c
ZipCompressedSize: 6302958
ZipUncompressedSize: 6359744
ZipFileName: ExpressVPN.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
228
Monitored processes
105
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe expressvpn.exe no specs expressvpn.exe expressvpn.exe expressvpn.exe no specs _expressvpn.exe cmd.exe no specs conhost.exe no specs delcert.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe expressvpn.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs delcert.exe no specs cmd.exe no specs signtool.exe expressvpnmanager.exe cmd.exe no specs conhost.exe no specs expressvpn.exe no specs delcert.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe _expressvpn.exe no specs cmd.exe no specs conhost.exe no specs delcert.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe expressvpn.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs delcert.exe no specs cmd.exe no specs signtool.exe expressvpnmanager.exe no specs cmd.exe no specs conhost.exe no specs delcert.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe cmd.exe no specs conhost.exe no specs expressvpnmanager.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs rundll32.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs delcert.exe no specs expressvpnmanager.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs delcert.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs delcert.exe no specs delcert.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs signtool.exe signtool.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs application hosts tasks manager.exe no specs cmd.exe no specs taskkill.exe no specs conhost.exe no specs expressvpnmanager.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs conhost.exe no specs expressvpnmanager.exe no specs sc.exe no specs sc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
188"C:\Users\admin\AppData\TempDirs\tmp8tt2wnkj\ExpressVPNManager.exe" C:\Users\admin\AppData\TempDirs\tmp8tt2wnkj\ExpressVPNManager.execmd.exe
User:
admin
Integrity Level:
HIGH
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
876sc.exe stop WinPwnageC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
880"C:\Users\admin\AppData\Local\Temp\7ZipSfx.001\config\datafiles\delcert.exe" "C:\Users\admin\AppData\TempDirs\tmp8tt2wnkj\ExpressVPNManager.exe_"C:\Users\admin\AppData\Local\Temp\7ZipSfx.001\config\datafiles\delcert.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
18
968TIMEOUT 2C:\Windows\SysWOW64\timeout.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
timeout - pauses command processing
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1400TASKKILL /PID 2624 /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
1488C:\WINDOWS\system32\cmd.exe /c "sc.exe stop WinPwnage"C:\Windows\SysWOW64\cmd.exeExpressVPNManager.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.3636 (WinBuild.160101.0800)
1536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
42 756
Read events
42 698
Write events
45
Delete events
13

Modification events

(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ExpressVPN.zip
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(4556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
221
Suspicious files
576
Text files
221
Unknown types
0

Dropped files

PID
Process
Filename
Type
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ast.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\charset_normalizer\cd.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\charset_normalizer\constant.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\charset_normalizer\version.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\charset_normalizer\__init__.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\config\argparse.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\certifi\core.pycbinary
MD5:90FE293CEA469DC1104920680ECF7A0C
SHA256:65A96479215560350629F2037E0CD9DD9EEF781F8FC8D860A30AC96C47C5A1CB
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\config\certifi\core.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\config\certifi\__init__.pyc
MD5:
SHA256:
6880ExpressVPN.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\certifi\__init__.pycbinary
MD5:B36CD964E388A7FABB4331B05FABD722
SHA256:951F2D5E931E605AD479526B367F83A9EED7E966B66E6756617AC34A9CEAAD1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
104
TCP/UDP connections
260
DNS requests
245
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.78.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
GET
200
95.101.78.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
7020
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
419 b
whitelisted
7020
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
408 b
whitelisted
6504
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
5008
signtool.exe
POST
200
216.168.244.9:80
http://timestamp.digicert.com/
US
text
8.03 Kb
unknown
1544
signtool.exe
POST
200
216.168.244.9:80
http://timestamp.digicert.com/
US
text
8.03 Kb
unknown
4160
signtool.exe
POST
200
216.168.244.9:80
http://timestamp.digicert.com/
US
text
8.03 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
95.101.78.42:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4536
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
1176
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 95.101.78.42
  • 95.101.78.32
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.21.65.132
  • 2.21.65.154
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.3
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.132
  • 20.190.160.5
  • 20.190.160.14
  • 20.190.160.2
  • 20.190.159.2
  • 40.126.31.131
  • 20.190.159.71
  • 20.190.159.131
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.130
  • 20.190.159.75
whitelisted
go.microsoft.com
  • 184.28.89.167
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Not Suspicious Traffic
INFO [ANY.RUN] Google App Engine (appspot .com)
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (pcloud .com)
Potentially Bad Traffic
ET INFO Cloud Storage API Related Domain in DNS Lookup (api .pcloud .com)
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (pcloud .com) in TLS SNI
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (pcloud .com) in TLS SNI
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (pcloud .com)
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (pcloud .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ExpressVPN.zip