analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Rose V3.rar

Full analysis: https://app.any.run/tasks/92d51f76-c447-49fe-8849-e29fd8781897
Verdict: Malicious activity
Analysis date: May 21, 2022, 09:43:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

5AAEC23E117DFA0FDA911148420D46DE

SHA1:

9232BCF5ED0C4C000EDD9411ACDD6DF278B146D5

SHA256:

ADDED4300D3048BC827FD897CDF947692654FCD5D36EA18542D49F872DCB9831

SSDEEP:

12288:+wInphGuQjVZI8JNRBkCTVochFP/AN/4gXCExdA25r3+a76M/0qgJF8bji3:DInvy88JNRLTVoyZAOgSwqGDVJ0FD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3596)
      • Setup.exe (PID: 4048)
      • ROSED.exe (PID: 1780)
      • Rose.exe (PID: 344)
      • Rose.exe (PID: 2216)
      • svchost.exe (PID: 2000)
      • aspnet_regiis.exe (PID: 1264)
      • mscorsvw.exe (PID: 2728)
      • ngen.exe (PID: 3040)
    • Application was dropped or rewritten from another process

      • Rose.exe (PID: 2216)
      • ROSED.exe (PID: 1780)
      • Rose.exe (PID: 344)
      • ndp48-web.exe (PID: 672)
      • ndp48-web.exe (PID: 3412)
      • Setup.exe (PID: 4048)
      • SetupUtility.exe (PID: 2996)
      • SetupUtility.exe (PID: 2560)
      • ServiceModelReg.exe (PID: 3944)
      • regtlibv12.exe (PID: 2844)
      • regtlibv12.exe (PID: 3480)
      • regtlibv12.exe (PID: 4092)
      • regtlibv12.exe (PID: 2136)
      • regtlibv12.exe (PID: 2524)
      • regtlibv12.exe (PID: 488)
      • regtlibv12.exe (PID: 3000)
      • ngen.exe (PID: 3040)
      • aspnet_regiis.exe (PID: 1264)
      • mscorsvw.exe (PID: 2728)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2060)
      • iexplore.exe (PID: 1624)
      • iexplore.exe (PID: 1516)
      • ndp48-web.exe (PID: 3412)
      • msiexec.exe (PID: 1344)
    • Actions looks like stealing of personal data

      • ndp48-web.exe (PID: 3412)
    • Changes settings of System certificates

      • Setup.exe (PID: 4048)
    • Loads the Task Scheduler COM API

      • ngen.exe (PID: 3040)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2060)
      • Rose.exe (PID: 2216)
      • Rose.exe (PID: 344)
      • ndp48-web.exe (PID: 3412)
      • Setup.exe (PID: 4048)
      • SetupUtility.exe (PID: 2560)
      • SetupUtility.exe (PID: 2996)
      • msiexec.exe (PID: 1344)
      • MsiExec.exe (PID: 2132)
      • TMP1540.tmp.exe (PID: 2500)
      • MsiExec.exe (PID: 116)
      • ServiceModelReg.exe (PID: 3944)
      • mofcomp.exe (PID: 3952)
      • mofcomp.exe (PID: 1984)
      • aspnet_regiis.exe (PID: 1264)
      • mofcomp.exe (PID: 1496)
      • mscorsvw.exe (PID: 2728)
      • ngen.exe (PID: 3040)
    • Checks supported languages

      • WinRAR.exe (PID: 2060)
      • Rose.exe (PID: 2216)
      • ROSED.exe (PID: 1780)
      • Rose.exe (PID: 344)
      • ndp48-web.exe (PID: 3412)
      • Setup.exe (PID: 4048)
      • SetupUtility.exe (PID: 2560)
      • SetupUtility.exe (PID: 2996)
      • msiexec.exe (PID: 1344)
      • TMP1540.tmp.exe (PID: 2500)
      • MsiExec.exe (PID: 2132)
      • MsiExec.exe (PID: 116)
      • ServiceModelReg.exe (PID: 3944)
      • regtlibv12.exe (PID: 3480)
      • regtlibv12.exe (PID: 2844)
      • regtlibv12.exe (PID: 2524)
      • regtlibv12.exe (PID: 488)
      • regtlibv12.exe (PID: 2136)
      • regtlibv12.exe (PID: 4092)
      • regtlibv12.exe (PID: 3000)
      • aspnet_regiis.exe (PID: 1264)
      • mofcomp.exe (PID: 1984)
      • mofcomp.exe (PID: 1496)
      • ngen.exe (PID: 3040)
      • mofcomp.exe (PID: 3952)
      • mscorsvw.exe (PID: 2728)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2060)
      • iexplore.exe (PID: 1516)
      • iexplore.exe (PID: 1624)
      • ndp48-web.exe (PID: 3412)
      • TMP1540.tmp.exe (PID: 2500)
      • Setup.exe (PID: 4048)
      • msiexec.exe (PID: 1344)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2060)
      • iexplore.exe (PID: 1624)
      • iexplore.exe (PID: 1516)
      • ndp48-web.exe (PID: 3412)
      • msiexec.exe (PID: 1344)
    • Starts Internet Explorer

      • Rose.exe (PID: 2216)
      • Rose.exe (PID: 344)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3828)
      • iexplore.exe (PID: 1624)
    • Reads CPU info

      • Setup.exe (PID: 4048)
    • Reads Environment values

      • Setup.exe (PID: 4048)
    • Reads the Windows organization settings

      • msiexec.exe (PID: 1344)
    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 1344)
    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 1344)
      • aspnet_regiis.exe (PID: 1264)
    • Checks for the .NET to be installed

      • msiexec.exe (PID: 1344)
    • Changes the autorun value in the registry

      • msiexec.exe (PID: 1344)
    • Creates files in the Windows directory

      • msiexec.exe (PID: 1344)
      • lodctr.exe (PID: 3988)
      • aspnet_regiis.exe (PID: 1264)
      • ngen.exe (PID: 3040)
    • Removes files from Windows directory

      • lodctr.exe (PID: 3988)
      • msiexec.exe (PID: 1344)
      • aspnet_regiis.exe (PID: 1264)
  • INFO

    • Manual execution by user

      • Rose.exe (PID: 2216)
      • Rose.exe (PID: 344)
      • ROSED.exe (PID: 1780)
    • Checks supported languages

      • iexplore.exe (PID: 3828)
      • iexplore.exe (PID: 2836)
      • iexplore.exe (PID: 1624)
      • iexplore.exe (PID: 1516)
      • lodctr.exe (PID: 3988)
      • wevtutil.exe (PID: 3320)
      • wevtutil.exe (PID: 2316)
    • Reads the computer name

      • iexplore.exe (PID: 2836)
      • iexplore.exe (PID: 3828)
      • iexplore.exe (PID: 1516)
      • iexplore.exe (PID: 1624)
      • wevtutil.exe (PID: 2316)
      • wevtutil.exe (PID: 3320)
      • lodctr.exe (PID: 3988)
    • Changes internet zones settings

      • iexplore.exe (PID: 2836)
      • iexplore.exe (PID: 1516)
    • Application launched itself

      • iexplore.exe (PID: 2836)
      • iexplore.exe (PID: 1516)
      • msiexec.exe (PID: 1344)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 2836)
      • iexplore.exe (PID: 1516)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3828)
      • iexplore.exe (PID: 1624)
      • iexplore.exe (PID: 1516)
      • Setup.exe (PID: 4048)
      • msiexec.exe (PID: 1344)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3828)
      • iexplore.exe (PID: 1624)
      • iexplore.exe (PID: 1516)
      • Setup.exe (PID: 4048)
      • msiexec.exe (PID: 1344)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1516)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1516)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1516)
      • svchost.exe (PID: 2000)
      • SetupUtility.exe (PID: 2996)
      • Setup.exe (PID: 4048)
      • msiexec.exe (PID: 1344)
      • mscorsvw.exe (PID: 2728)
    • Creates files in the user directory

      • iexplore.exe (PID: 1624)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1624)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1516)
    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 116)
      • msiexec.exe (PID: 1344)
      • MsiExec.exe (PID: 2132)
    • Creates or modifies windows services

      • msiexec.exe (PID: 1344)
    • Searches for installed software

      • msiexec.exe (PID: 1344)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 1344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
36
Malicious processes
14
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs rose.exe no specs iexplore.exe no specs iexplore.exe rosed.exe no specs rose.exe no specs iexplore.exe iexplore.exe ndp48-web.exe no specs ndp48-web.exe setup.exe setuputility.exe no specs setuputility.exe no specs tmp1540.tmp.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs servicemodelreg.exe no specs wevtutil.exe no specs wevtutil.exe no specs svchost.exe no specs lodctr.exe no specs regtlibv12.exe no specs regtlibv12.exe no specs regtlibv12.exe no specs regtlibv12.exe no specs regtlibv12.exe no specs regtlibv12.exe no specs regtlibv12.exe no specs mofcomp.exe no specs mofcomp.exe no specs aspnet_regiis.exe no specs mofcomp.exe no specs ngen.exe no specs mscorsvw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2060"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rose V3.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3596"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2216"C:\Users\admin\Desktop\Rose V3\Rose.exe" C:\Users\admin\Desktop\Rose V3\Rose.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
PRose
Exit code:
2148734720
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rose v3\rose.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2836"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.6&processName=Rose.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209C:\Program Files\Internet Explorer\iexplore.exeRose.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
3828"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1780"C:\Users\admin\Desktop\Rose V3\ROSED.exe" C:\Users\admin\Desktop\Rose V3\ROSED.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Stub
Exit code:
2148734720
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rose v3\rosed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
344"C:\Users\admin\Desktop\Rose V3\Rose.exe" C:\Users\admin\Desktop\Rose V3\Rose.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
PRose
Exit code:
2148734720
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rose v3\rose.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1516"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.6&processName=Rose.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209C:\Program Files\Internet Explorer\iexplore.exe
Rose.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
1624"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1516 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
672"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ndp48-web.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ndp48-web.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework 4.8 Setup
Exit code:
3221226540
Version:
4.8.04115.00
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\ndp48-web.exe
c:\windows\system32\ntdll.dll
Total events
92 736
Read events
76 284
Write events
0
Delete events
0

Modification events

No data
Executable files
2 458
Suspicious files
77
Text files
446
Unknown types
27

Dropped files

PID
Process
Filename
Type
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\Rose.exe.configxml
MD5:423D80A4E92D50BF40A558325D34ED61
SHA256:4FDE45606EB6404095D43739B1ECCFD3780A1B27978A9C1B009CB8457FD7F617
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\Rose.exeexecutable
MD5:8AA80A52596D11CCDDA254A6C3028681
SHA256:005AB8F8ACBD505ECB2FBF5FE4376E616028965C035844A0835BAD75C1B4284A
3828iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:8AB617616B3DDDA28276E8E2F5238AFD
SHA256:5D85930D336E786A1F83EFD14C03E5695F9533CB98F4CB077D7B5D4CFE0C7234
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7FB1AC21-D8EA-11EC-BF60-12A9866C77DE}.datbinary
MD5:304937010E684300B3142CA69F22E619
SHA256:8391CE27296E9ECDC6379A91D8B9E9C42D05A76D89FE1E535AC21F36CBE1D282
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\snk.snksnk
MD5:9A35B2E35E9ABC466F2393240AE2812B
SHA256:F2D2D5D6807609FBAA890504D439C0C78DB1A9B6C350BE8A776F296CE0BE7950
2836iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9FB51C76084ECE2B.TMPgmc
MD5:3C6407F523611F3687E8EAF4ED04D92D
SHA256:AE70439D3759F85AE42B9FAB561F31AFA04282B3168DFB04C1A2B5C0DD28F19B
3828iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEder
MD5:136BA521784A8CE47A3850452207B885
SHA256:8FB5921945889E17A35D67A61A81A767323F57FE0EDD07A1FA6DADBD62669117
3828iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC4726FEE26B5D7F5BC731F03E7D7E34
SHA256:990F044CAB696ED00BBC2CB11C62BA52EE6D61F33AAFD5F78CD35EA3513D9C01
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\dnlib.dllexecutable
MD5:72B9C1848F3389A8755D0226F085B7A4
SHA256:77C81BF7C861F4EB54996385F701183687A3BC7B966E68E8BB635449A0827ECB
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\ROSED.exeexecutable
MD5:232994CA1C5030F064FE0195BE541418
SHA256:2CEEDBC2400CBFF16DF36F45089FAF4E132CCD93A4A06D8578C89568E00CD8C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
46
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
880
svchost.exe
GET
302
104.90.179.99:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=x86&o1=netfx_Full.mzz
NL
whitelisted
1624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
1624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
880
svchost.exe
HEAD
302
104.90.179.99:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=amd64&o1=netfx_Full_x86.msi
NL
whitelisted
880
svchost.exe
HEAD
302
104.90.179.99:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=x86&o1=netfx_Full.mzz
NL
whitelisted
3828
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
1624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3828
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
1624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
4048
Setup.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
US
der
1.05 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3828
iexplore.exe
13.107.246.45:443
dotnet.microsoft.com
Microsoft Corporation
US
suspicious
1624
iexplore.exe
13.107.246.45:443
dotnet.microsoft.com
Microsoft Corporation
US
suspicious
3828
iexplore.exe
104.92.93.19:443
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
1624
iexplore.exe
184.30.21.171:443
www.microsoft.com
GTT Communications Inc.
US
suspicious
1624
iexplore.exe
152.199.19.161:443
az416426.vo.msecnd.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3828
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1624
iexplore.exe
104.92.93.19:443
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
3828
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1624
iexplore.exe
92.123.224.11:443
statics-marketingsites-wcus-ms-com.akamaized.net
Akamai International B.V.
suspicious
1516
iexplore.exe
13.107.246.45:443
dotnet.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.92.93.19
  • 104.90.179.99
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
dotnet.microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
statics-marketingsites-wcus-ms-com.akamaized.net
  • 92.123.224.11
  • 92.123.224.58
whitelisted
az416426.vo.msecnd.net
  • 152.199.19.161
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 92.123.224.68
  • 92.123.224.60
whitelisted
wcpstatic.microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

No threats detected
No debug info