File name:

challenge.zip

Full analysis: https://app.any.run/tasks/88fb6364-9b10-4050-ac98-89f301b25d7e
Verdict: Malicious activity
Analysis date: May 18, 2025, 09:46:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
sonic
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

52F9551DECA942A8A88ED0A619684FAA

SHA1:

4ADB581F7D20B0A51F09AF6E966495BA9BF35E86

SHA256:

B58E493A5E7780611A2A3337448F57EE21A6AF0EA6722674DC80D80F06235275

SSDEEP:

384:U7g5i/kW5kN4v3P4741m54OmajzzXvcv72:/W+qvf474U54cnXvX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 300)

    • Create files in the Startup directory

      • cmd.exe (PID: 3956)

    • Changes the autorun value in the registry

      • reg.exe (PID: 4756)
      • reg.exe (PID: 8124)
      • reg.exe (PID: 7856)
      • reg.exe (PID: 8136)

    • SONIC has been detected

      • cmd.exe (PID: 3956)

  • SUSPICIOUS

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5572)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 8164)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 7416)

    • The system shut down or reboot

      • cmd.exe (PID: 1276)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 7484)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5572)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 8164)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7416)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 3956)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 7156)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)

    • The process executes VB scripts

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 5020)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 7416)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 7416)

    • Application launched itself

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 7416)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 5020)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 7196)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 3956)

    • The process checks if it is being run in the virtual environment

      • icacls.exe (PID: 7616)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1276)
      • cmd.exe (PID: 3956)

    • Checks supported languages

      • Tasksvc.exe (PID: 744)

    • Reads the computer name

      • Tasksvc.exe (PID: 744)

    • Reads security settings of Internet Explorer

      • calc.exe (PID: 7276)
      • calc.exe (PID: 4528)
      • calc.exe (PID: 7584)
      • OpenWith.exe (PID: 8044)
      • OpenWith.exe (PID: 8096)
      • OpenWith.exe (PID: 7568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2025:05:13 05:52:44
ZipCRC: 0xd620a5b0
ZipCompressedSize: 12517
ZipUncompressedSize: 23646
ZipFileName: challenge_1.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
370
Monitored processes
238
Malicious processes
4
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe conhost.exe no specs shutdown.exe no specs #SONIC cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs attrib.exe no specs icacls.exe no specs certutil.exe tasksvc.exe no specs conhost.exe no specs wscript.exe no specs rundll32.exe no specs rundll32.exe no specs ipconfig.exe no specs reg.exe attrib.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs explorer.exe no specs notepad.exe no specs conhost.exe no specs calc.exe no specs mspaint.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs notepad.exe no specs openwith.exe no specs calc.exe no specs mspaint.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs reg.exe no specs icacls.exe no specs reg.exe no specs attrib.exe no specs reg.exe no specs takeown.exe no specs cmd.exe no specs takeown.exe no specs conhost.exe no specs openwith.exe no specs openwith.exe no specs icacls.exe no specs reg.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs takeown.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs netsh.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs icacls.exe no specs takeown.exe no specs takeown.exe no specs takeown.exe no specs attrib.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs wscript.exe no specs rundll32.exe no specs attrib.exe no specs attrib.exe no specs takeown.exe no specs takeown.exe no specs rundll32.exe no specs icacls.exe no specs icacls.exe no specs bcdedit.exe no specs attrib.exe no specs attrib.exe no specs ipconfig.exe no specs wscript.exe no specs rundll32.exe no specs wscript.exe no specs rundll32.exe no specs rundll32.exe no specs msg.exe no specs reg.exe rundll32.exe no specs ipconfig.exe no specs msg.exe no specs attrib.exe no specs msg.exe no specs reg.exe attrib.exe no specs ipconfig.exe no specs takeown.exe no specs icacls.exe no specs reg.exe attrib.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs explorer.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs wscript.exe no specs notepad.exe no specs wscript.exe no specs calc.exe no specs mspaint.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs explorer.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs wscript.exe no specs wscript.exe no specs explorer.exe no specs notepad.exe no specs calc.exe no specs wscript.exe no specs wscript.exe no specs calc.exe no specs mspaint.exe no specs wscript.exe no specs wscript.exe no specs mspaint.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs openwith.exe no specs cmd.exe no specs explorer.exe no specs conhost.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs openwith.exe no specs cmd.exe no specs explorer.exe no specs conhost.exe no specs calc.exe no specs explorer.exe no specs notepad.exe no specs mspaint.exe no specs notepad.exe no specs reg.exe no specs calc.exe no specs calc.exe no specs mspaint.exe no specs mspaint.exe no specs openwith.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs openwith.exe no specs explorer.exe no specs reg.exe no specs icacls.exe no specs calc.exe no specs explorer.exe no specs notepad.exe no specs openwith.exe no specs mspaint.exe no specs notepad.exe no specs calc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\challenge.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
744Tasksvc.exe C:\Users\admin\Desktop\Tasksvc.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\tasksvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1088rundll32 user32.dll, SwapMouseButtonC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1180rundll32 user32.dll, SetCursorPosC:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1276"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
1568takeown /f "C:\WINDOWS\System32\winresume.exe"C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Takes ownership of a file
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
1912WScript ErrorCritico.vbsC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2552WScript Advertencia.vbsC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2616msg * Has sido hackeado!C:\Windows\System32\msg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Message Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3024explorer.exe C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
27 380
Read events
27 290
Write events
90
Delete events
0

Modification events

(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\challenge.zip
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4756) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:EthernetKill
Value:
C:\Users\admin\AppData\Local\Temp\EthernetKiller.cmd
Executable files
2
Suspicious files
0
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb300.43386\challenge_1.battext
MD5:39830FCB4FFB54FEAAF9A659C07ACED3
SHA256:D13E2C505021D99FD969A85F1FD530066E48ABDCA9161166D38D7593C8EF275D
3956cmd.exeC:\Users\admin\Desktop\ErrorCritico.vbstext
MD5:08121EA7E3B2EB7EDFC85252B937AAEB
SHA256:31CD4463ECC62DC846DBAEE0A5446D4BF11100BEFF1B01AE88E234B6C29329C2
3956cmd.exeC:\Users\admin\Desktop\Virus.comtext
MD5:4E41B674F8EF8CF2012EE14BAAB6F8FB
SHA256:6E873072B66344577E74522918670959181BD0AF626FDC45E39F4630A8EF72C8
3956cmd.exeC:\Users\admin\AppData\Local\Temp\EthernetKiller.cmdtext
MD5:9905E5A33C6EDD8EB5F59780AFBF74DE
SHA256:C134B2F85415BA5CFCE3E3FE4745688335745A9BB22152AC8F5C77F190D8AEE3
3956cmd.exeC:\Users\admin\Desktop\Informacion.vbstext
MD5:08121EA7E3B2EB7EDFC85252B937AAEB
SHA256:31CD4463ECC62DC846DBAEE0A5446D4BF11100BEFF1B01AE88E234B6C29329C2
3956cmd.exeC:\Users\admin\Desktop\Virus.initext
MD5:0DA3FB67CF67763AD3E1A8CC0C3E71F0
SHA256:8A634603DE0147F793D1ABBC9E42BDC42098A712B16941609A4504288A082D6B
3956cmd.exeC:\Users\admin\Desktop\Taskdl.battext
MD5:9905E5A33C6EDD8EB5F59780AFBF74DE
SHA256:C134B2F85415BA5CFCE3E3FE4745688335745A9BB22152AC8F5C77F190D8AEE3
3956cmd.exeC:\Users\admin\Desktop\Taskse.exetext
MD5:523E98DDFC769CDED3270A59BBDCE3BC
SHA256:256B3E85E92CE2FA4D5910286F86892B797222FD4880EF76AF4A467050A2B941
3956cmd.exeC:\Users\admin\Desktop\Virus.exetext
MD5:E4C948618CE7A2DDE01BE023F2EAF1EF
SHA256:D757A01DF8970503980C661C49CB8B541A54D10CF5E84AB031DB24AC9A947876
3956cmd.exeC:\Users\admin\Desktop\Advertencia.vbstext
MD5:08121EA7E3B2EB7EDFC85252B937AAEB
SHA256:31CD4463ECC62DC846DBAEE0A5446D4BF11100BEFF1B01AE88E234B6C29329C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
31
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.8
  • 23.216.77.30
  • 23.216.77.36
  • 23.216.77.20
  • 23.216.77.18
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.41
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.5
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.66
  • 20.190.160.130
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.65
  • 20.190.159.0
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.178
  • 104.126.37.160
  • 104.126.37.179
  • 104.126.37.130
  • 104.126.37.155
  • 104.126.37.131
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 104.126.37.155
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.154
  • 104.126.37.153
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.178
  • 104.126.37.145
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
challenge.zip