File name:

xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe

Full analysis: https://app.any.run/tasks/73392a2b-1530-4ca7-a7ec-3c3e7cdd495e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 03, 2026, 10:17:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

78B37C1360F735D197D7925947F582DC

SHA1:

55F834C2B7DB3ED52FD750A8FFF035E269971CA3

SHA256:

AE8E6D370E8A928EFC192126ED87F1DD8189BC3FCC528AB8C7DED4736DA84601

SSDEEP:

196608:Tv8gX4VuSnlrcn/CDQ2NHUVC3M8sU8rM3qQPWLSlf7FSUQ:7IV5rnDjN00VsUoMOI7FtQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 7868)
      • net.exe (PID: 132)
      • gusetup.exe (PID: 7748)
      • net.exe (PID: 7936)

    • Registers / Runs the DLL via REGSVR32.EXE

      • gusetup.exe (PID: 7748)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)

    • The process creates files with name similar to system file names

      • gusetup.exe (PID: 7748)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • gusetup.exe (PID: 7748)

    • Process drops legitimate windows executable

      • gusetup.exe (PID: 7748)

    • The process drops C-runtime libraries

      • gusetup.exe (PID: 7748)

    • Drops a system driver (possible attempt to evade defenses)

      • gusetup.exe (PID: 7748)
      • StartupManager.exe (PID: 6444)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 8080)
      • regsvr32.exe (PID: 1988)
      • regsvr32.exe (PID: 2392)

    • Searches for installed software

      • statisticsinfo.exe (PID: 9036)

    • Creates or modifies Windows services

      • DiskDefrag.exe (PID: 8328)

    • Creates files in the driver directory

      • StartupManager.exe (PID: 6444)

    • Executes as Windows Service

      • MemfilesService.exe (PID: 9080)

    • Possible stealing from browsers

      • Initialize.exe (PID: 5180)

    • Creates file in the systems drive root

      • MemfilesService.exe (PID: 9080)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 8124)

    • Uses REG/REGEDIT.EXE to modify registry

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)

  • INFO

    • Create files in a temporary directory

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)
      • gusetup.exe (PID: 7748)
      • statisticsinfo.exe (PID: 9036)

    • Checks supported languages

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)
      • gusetup.exe (PID: 7748)
      • GUAssistComSvc.exe (PID: 8364)
      • statisticsinfo.exe (PID: 9036)
      • DiskDefrag.exe (PID: 8328)
      • StartupManager.exe (PID: 6444)
      • GUBootService.exe (PID: 4472)
      • GUPMService.exe (PID: 7472)
      • procmgr.exe (PID: 1200)
      • Initialize.exe (PID: 5180)
      • GUAssistComSvc.exe (PID: 144)
      • GUBootService.exe (PID: 8756)
      • MemfilesService.exe (PID: 272)
      • MemfilesService.exe (PID: 9080)
      • version.exe (PID: 3636)

    • Reads the computer name

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)
      • GUAssistComSvc.exe (PID: 8364)
      • GUBootService.exe (PID: 4472)
      • GUPMService.exe (PID: 7472)
      • procmgr.exe (PID: 1200)
      • statisticsinfo.exe (PID: 9036)
      • DiskDefrag.exe (PID: 8328)
      • StartupManager.exe (PID: 6444)
      • MemfilesService.exe (PID: 9080)
      • Initialize.exe (PID: 5180)
      • GUBootService.exe (PID: 8756)
      • GUAssistComSvc.exe (PID: 144)
      • MemfilesService.exe (PID: 272)
      • gusetup.exe (PID: 7748)
      • version.exe (PID: 3636)

    • Process checks computer location settings

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)
      • StartupManager.exe (PID: 6444)
      • Initialize.exe (PID: 5180)

    • Reads security settings of Internet Explorer

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)
      • statisticsinfo.exe (PID: 9036)
      • StartupManager.exe (PID: 6444)
      • Initialize.exe (PID: 5180)

    • The sample compiled with chinese language support

      • gusetup.exe (PID: 7748)

    • The sample compiled with arabic language support

      • gusetup.exe (PID: 7748)

    • The sample compiled with english language support

      • gusetup.exe (PID: 7748)
      • statisticsinfo.exe (PID: 9036)

    • The sample compiled with japanese language support

      • gusetup.exe (PID: 7748)

    • Creates files in the program directory

      • gusetup.exe (PID: 7748)
      • StartupManager.exe (PID: 6444)
      • Initialize.exe (PID: 5180)
      • version.exe (PID: 3636)
      • MemfilesService.exe (PID: 9080)

    • There is functionality for taking screenshot (YARA)

      • xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe (PID: 9176)
      • gusetup.exe (PID: 7748)
      • MemfilesService.exe (PID: 9080)

    • Creates a software uninstall entry

      • gusetup.exe (PID: 7748)
      • statisticsinfo.exe (PID: 9036)

    • Drops script file

      • gusetup.exe (PID: 7748)
      • Initialize.exe (PID: 5180)

    • Checks proxy server information

      • statisticsinfo.exe (PID: 9036)
      • slui.exe (PID: 1676)

    • Creates files or folders in the user directory

      • Initialize.exe (PID: 5180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:12 10:17:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.33
CodeSize: 288768
InitializedDataSize: 214528
UninitializedDataSize: -
EntryPoint: 0x32ee0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
34
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe gusetup.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs guassistcomsvc.exe no specs statisticsinfo.exe diskdefrag.exe no specs startupmanager.exe no specs gubootservice.exe no specs gupmservice.exe no specs procmgr.exe no specs memfilesservice.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs memfilesservice.exe no specs initialize.exe no specs gubootservice.exe no specs guassistcomsvc.exe no specs schtasks.exe no specs conhost.exe no specs version.exe no specs regedit.exe no specs regedit.exe no specs slui.exe xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132net stop GUMemfilesServiceC:\Windows\SysWOW64\net.exegusetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
144"C:\Program Files (x86)\Glary Utilities\x64\GUAssistComSvc.exe" -EmbeddingC:\Program Files (x86)\Glary Utilities\x64\GUAssistComSvc.exesvchost.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Exit code:
0
Version:
6.0.0.4
Modules
Images
c:\program files (x86)\glary utilities\x64\guassistcomsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
272"C:\Program Files (x86)\Glary Utilities\x64\MemfilesService.exe" -RegServerC:\Program Files (x86)\Glary Utilities\x64\MemfilesService.exegusetup.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
MemfilesService
Exit code:
0
Version:
6.1.0.12
Modules
Images
c:\program files (x86)\glary utilities\x64\memfilesservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1200"C:\Program Files (x86)\Glary Utilities\procmgr.exe" -guupdateC:\Program Files (x86)\Glary Utilities\procmgr.exegusetup.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities ProcessManager
Exit code:
2
Version:
6.0.0.11
Modules
Images
c:\program files (x86)\glary utilities\procmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1988"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glary Utilities\ContextHandler.dll"C:\Windows\SysWOW64\regsvr32.exegusetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2392 /s "C:\Program Files (x86)\Glary Utilities\x64\ContextHandler.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3636"C:\Users\admin\AppData\Local\Temp\RarSFX0\version.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\version.exexae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\version.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4020"C:\Windows\regedit.exe" /S arabic.regC:\Windows\regedit.exexae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
6 694
Read events
6 520
Write events
147
Delete events
27

Modification events

(PID) Process:(8080) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C97FA4-8378-42BF-A6F9-D615EB1272D7}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(8080) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28C97FA4-8378-42BF-A6F9-D615EB1272D7}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(8080) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31FB3410-EA8B-4931-91C5-ADA7B91D953B}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(8080) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{31FB3410-EA8B-4931-91C5-ADA7B91D953B}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(8080) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58B505BE-F589-4E8E-8BF2-B78E078CA8F7}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(7748) gusetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Glarysoft\Glary Utilities
Operation:writeName:Language
Value:
english.lng
(PID) Process:(7748) gusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Glarysoft\Glary Utilities
Operation:writeName:ProductID
Value:
1
(PID) Process:(7748) gusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Glarysoft\Glary Utilities
Operation:writeName:ChannelNumber
Value:
10000
(PID) Process:(7748) gusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities
Operation:writeName:Channel
Value:
10000
(PID) Process:(7748) gusetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities
Operation:writeName:ProductID
Value:
619023037000
Executable files
150
Suspicious files
42
Text files
730
Unknown types
3

Dropped files

PID
Process
Filename
Type
9176xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\arabic.regtext
MD5:B5B855E49A7C06B40D84572060E42F19
SHA256:9C9DCF0B7C986C8802D1C0F2955CB31E337A0A0CF1DBE091A150A62EF5FF5733
9176xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\version.exeexecutable
MD5:2518FFAD654E7BCB9C9C8BDDF3A85336
SHA256:F0DEC91D8DCA2328F62AB4219E44061BD19FB5865AB01EECA9A44078A61C425A
7748gusetup.exeC:\Users\admin\AppData\Local\Temp\nsy6EA7.tmp\System.dllexecutable
MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
7748gusetup.exeC:\Users\admin\AppData\Local\Temp\nsy6EA7.tmp\GlaryUtilities.inibinary
MD5:6902D8C594B6BCDA015D314526468F55
SHA256:3BF3237714C7585A71BFA82ADCAED7EBE41B1245D99BCB3EA24441D9DF83D6A8
9176xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\reg.regtext
MD5:615EFB8F1973D1294C8FD8B62BE4069B
SHA256:48D5E9D2F166B9357EC044FE0BA9DFFFA96750DD577512E387CD1430E3E44E1E
7748gusetup.exeC:\Program Files (x86)\Glary Utilities\CheckDisk.exeexecutable
MD5:759EEE243079C9D91C886501AC156068
SHA256:9F666859500069F1E8A5BB3606177EBAD4747F7F288843A47A74F859A68F175E
7748gusetup.exeC:\Users\admin\AppData\Local\Temp\nsy6EA7.tmp\popularize.icoimage
MD5:D6609276E300CD75E237ABD9CC0FEE54
SHA256:1ABEE4DEC248FF2C9BFBEC65E3241E457324F9220693763B6878BAF298DF730B
7748gusetup.exeC:\Program Files (x86)\Glary Utilities\CheckDisk.dllexecutable
MD5:46CE5BF88BF1D1FCA3F889C8180388A9
SHA256:55FFEF1CFC343C5BF5A22EBF1995AD8005E142EA74A58A66AEA13DCF2DED0A59
7748gusetup.exeC:\Program Files (x86)\Glary Utilities\CheckDiskProgress.exeexecutable
MD5:B1013A38DC4941E11D2F4776339FD1F8
SHA256:9562423F4AF3B0FAFDE59F144F631C05BAD9D077F5C1A9D09FC9FA92E9215E0C
7748gusetup.exeC:\Program Files (x86)\Glary Utilities\BootTime.dllexecutable
MD5:F51EB4685DEA6EFAB281304D0C2FB93B
SHA256:4A91AD6C57765539334166B588D025CE155A5A6EF84B79923D59EBA6538A6F66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
40
DNS requests
11
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3208
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
9036
statisticsinfo.exe
POST
200
52.24.207.204:80
http://analytics.glarysoft.com/api/v1/install
unknown
unknown
4196
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.200:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
2.16.241.223:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3208
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3208
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.241.200
  • 2.16.241.197
  • 2.16.241.201
  • 2.16.241.219
  • 2.16.241.223
  • 2.16.241.222
  • 2.16.241.220
  • 2.16.241.218
  • 2.16.241.221
whitelisted
th.bing.com
  • 2.16.241.223
  • 2.16.241.203
  • 2.16.241.205
  • 2.16.241.204
  • 2.16.241.206
  • 2.16.241.201
  • 2.16.241.200
  • 2.16.241.222
  • 2.16.241.197
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
  • 52.168.117.171
whitelisted
google.com
  • 172.217.16.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.164.120
  • 2.16.164.49
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
analytics.glarysoft.com
  • 52.24.207.204
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
9036
statisticsinfo.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] NSIS INetC plugin User-Agent observed in HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xae8e6d370e8a928efc192126ed87f1dd8189bc3fcc528ab8c7ded4736da84601.exe