File name:

WD Backup.exe

Full analysis: https://app.any.run/tasks/a41e3503-b007-4b32-b143-31a4af1a7374
Verdict: Malicious activity
Analysis date: April 28, 2025, 13:29:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5306444F3BD62B92FE231FCD4488D2F0

SHA1:

A07D29363733589D29735D72DCC508C853DED897

SHA256:

B610698A984F7E61CD89E99560182BC90524F16C5A160CF5C4595749BC88D293

SSDEEP:

98304:aufohiU5s7rwSfr55BK7MzNJRnm06X6nvGN6+XZjS0k2Jm1fc1tbTsBicmEODfaa:fEWYzIS4nkvh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WD Backup.exe (PID: 2516)
      • msiexec.exe (PID: 2600)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WD Backup.exe (PID: 2852)

    • Executable content was dropped or overwritten

      • WD Backup.exe (PID: 2852)
      • WD Backup.exe (PID: 5072)
      • WD Backup.exe (PID: 2516)
      • rundll32.exe (PID: 1056)
      • rundll32.exe (PID: 7144)

    • Searches for installed software

      • WD Backup.exe (PID: 2852)

    • Starts itself from another location

      • WD Backup.exe (PID: 2852)

    • Reads security settings of Internet Explorer

      • WD Backup.exe (PID: 2852)
      • WDAppManager.exe (PID: 1804)

    • Creates a software uninstall entry

      • WD Backup.exe (PID: 2516)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 2600)

    • Executes as Windows Service

      • dllhost.exe (PID: 5556)
      • msdtc.exe (PID: 4220)
      • dllhost.exe (PID: 6576)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 2600)

    • Creates/Modifies COM task schedule object

      • rundll32.exe (PID: 5956)
      • rundll32.exe (PID: 1188)

    • The process executes via Task Scheduler

      • WDAppManager.exe (PID: 1804)

  • INFO

    • Create files in a temporary directory

      • WD Backup.exe (PID: 5072)
      • WD Backup.exe (PID: 2852)
      • WD Backup.exe (PID: 2516)
      • msiexec.exe (PID: 2344)

    • Checks supported languages

      • WD Backup.exe (PID: 5072)
      • WD Backup.exe (PID: 2852)
      • WD Backup.exe (PID: 2516)
      • msiexec.exe (PID: 2600)
      • msiexec.exe (PID: 2344)
      • msiexec.exe (PID: 5020)
      • WDAppManager.exe (PID: 1804)
      • msiexec.exe (PID: 3032)
      • WDBackupService.exe (PID: 5400)

    • The sample compiled with english language support

      • WD Backup.exe (PID: 5072)
      • WD Backup.exe (PID: 2852)
      • WD Backup.exe (PID: 2516)

    • Reads the machine GUID from the registry

      • WD Backup.exe (PID: 2852)
      • WD Backup.exe (PID: 2516)
      • msiexec.exe (PID: 2600)
      • WDAppManager.exe (PID: 1804)
      • WDBackupService.exe (PID: 5400)

    • Reads the computer name

      • WD Backup.exe (PID: 2852)
      • WD Backup.exe (PID: 2516)
      • msiexec.exe (PID: 2600)
      • msiexec.exe (PID: 2344)
      • msiexec.exe (PID: 3032)
      • msiexec.exe (PID: 5020)
      • WDAppManager.exe (PID: 1804)
      • WDBackupService.exe (PID: 5400)

    • Creates files in the program directory

      • WD Backup.exe (PID: 2516)
      • WDAppManager.exe (PID: 1804)
      • WDBackupService.exe (PID: 5400)

    • Process checks computer location settings

      • WD Backup.exe (PID: 2852)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 2600)
      • WD Backup.exe (PID: 2852)

    • Reads the software policy settings

      • msiexec.exe (PID: 2600)
      • slui.exe (PID: 6032)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2600)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 4220)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3024)
      • rundll32.exe (PID: 1188)
      • rundll32.exe (PID: 5956)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:06:07 17:11:20+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14
CodeSize: 302080
InitializedDataSize: 261632
UninitializedDataSize: -
EntryPoint: 0x2e1aa
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.9.6485.41936
ProductVersionNumber: 1.9.6485.41936
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Western Digital Technologies, Inc.
FileDescription: WD Backup
FileVersion: 1.9.6485.41936
InternalName: setup
LegalCopyright: © 2016 Western Digital Technologies, Inc. All rights reserved.
OriginalFileName: WD Backup.exe
ProductName: WD Backup
ProductVersion: 1.9.6485.41936
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
23
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start wd backup.exe wd backup.exe sppextcomobj.exe no specs slui.exe wd backup.exe msiexec.exe msiexec.exe no specs dllhost.exe no specs msdtc.exe no specs msiexec.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe msiexec.exe no specs msiexec.exe no specs wdappmanager.exe no specs wdbackupservice.exe no specs conhost.exe no specs dllhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1056rundll32.exe "C:\WINDOWS\Installer\MSI9FCF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1155031 327 BackupCustomAction!BackupCustomAction.CustomActions.ConfigureDriveAPICOMPlusAsServiceC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1188RunDll32.exe catsrvut.dll,ManagedRequest Global\{1F62FCF4-F9E9-401C-BD20-21851D2CAC7A}C:\Windows\SysWOW64\rundll32.exedllhost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1804"C:\Program Files (x86)\Western Digital\WD App Manager\WDAppManager.exe"C:\Program Files (x86)\Western Digital\WD App Manager\WDAppManager.exesvchost.exe
User:
admin
Company:
Western Digital Technologies, Inc.
Integrity Level:
MEDIUM
Description:
WD App Manager
Version:
1.2.4.12
Modules
Images
c:\program files (x86)\western digital\wd app manager\wdappmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWDBackupService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2344C:\Windows\syswow64\MsiExec.exe -Embedding 58673A6ECA50DEF9BD14350B72AB7945 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2516"C:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.be\WD Backup.exe" -q -burn.elevated BurnPipe.{3BB170BE-E83D-4DE3-8ACD-60C9070A15B1} {6FC27707-E44A-45A5-AFCD-E72AB60E492A} 2852C:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.be\WD Backup.exe
WD Backup.exe
User:
admin
Company:
Western Digital Technologies, Inc.
Integrity Level:
HIGH
Description:
WD Backup
Exit code:
0
Version:
1.9.6485.41936
Modules
Images
c:\users\admin\appdata\local\temp\{1f128d8d-192b-4c67-8e35-8537525ba4ff}\.be\wd backup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2600C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2852"C:\Users\admin\AppData\Local\Temp\{16B067DE-7B9C-42FA-8CD5-8373AC9F3F93}\.cr\WD Backup.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\WD Backup.exe" -burn.filehandle.attached=588 -burn.filehandle.self=712 C:\Users\admin\AppData\Local\Temp\{16B067DE-7B9C-42FA-8CD5-8373AC9F3F93}\.cr\WD Backup.exe
WD Backup.exe
User:
admin
Company:
Western Digital Technologies, Inc.
Integrity Level:
MEDIUM
Description:
WD Backup
Exit code:
0
Version:
1.9.6485.41936
Modules
Images
c:\users\admin\appdata\local\temp\{16b067de-7b9c-42fa-8cd5-8373ac9f3f93}\.cr\wd backup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2960C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3024RunDll32.exe catsrvut.dll,ManagedRequest Global\{D1C92A03-D8AE-4CBF-9CC5-55C0A45948B4}C:\Windows\SysWOW64\rundll32.exedllhost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
20 857
Read events
20 415
Write events
380
Delete events
62

Modification events

(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleCachePath
Value:
C:\ProgramData\Package Cache\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}\WD Backup.exe
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleUpgradeCode
Value:
{EC2C7BC7-FAF4-44C3-AD86-6C6E517F9FF9}
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleAddonCode
Value:
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleDetectCode
Value:
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundlePatchCode
Value:
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleVersion
Value:
1.9.6485.41936
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleProviderKey
Value:
{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:BundleTag
Value:
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:EngineVersion
Value:
3.10.3.3007
(PID) Process:(2516) WD Backup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}
Operation:writeName:DisplayIcon
Value:
C:\ProgramData\Package Cache\{463d4278-a46b-4f4b-bfad-81d1c2f2fe2e}\WD Backup.exe,0
Executable files
105
Suspicious files
67
Text files
83
Unknown types
0

Dropped files

PID
Process
Filename
Type
5072WD Backup.exeC:\Users\admin\AppData\Local\Temp\{16B067DE-7B9C-42FA-8CD5-8373AC9F3F93}\.cr\WD Backup.exeexecutable
MD5:BADE13E01920B1B589EF1A2F9BA62C05
SHA256:4C1D45E7C9872872193B8F4E80BE5A38B827F5D92B54B45D644FF5183F1DE453
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\WDBackupPlan.dllexecutable
MD5:2C6915ADA72A0B2759AF866067B4B19A
SHA256:0FFB7F8304E0C45808045D2F66F0296330BEB866AFA8E50B1D85CA7EAB41B053
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\BootstrapperCore.dllexecutable
MD5:96514B5A1F45BC7F3D5482B427BE0B83
SHA256:4F2A5421C3D3B036865CB7ECA2A72237C50F5589FB9C42237C947C878C4EE85F
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\mbapreq.dllexecutable
MD5:D4740D4EF04B7CFE4E93B5D44C8C22A4
SHA256:F5A7BB3BBF9FA41CEF4B77A3E43B392013A75905475831287BF2BA22A4BF5AC8
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\WDLocale.dllexecutable
MD5:F77296835EF9C2F3DE46CE3B668F5EC1
SHA256:29700109AFAAA80A6DA1FD2C1FAAA87CC5E81D7AF62CC75B65F94F8953993AFA
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\mbahost.dllexecutable
MD5:0895938EF748396F5D3892520882F6B7
SHA256:2F5467BFBFEC3E97823430DA18249AAEE390961C87DE61E4710F7B3EF8011630
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\mbapreq.wxlxml
MD5:035FB1B3661CA2FCE4DD6B7151CA34FD
SHA256:97B20444592C26211BABE655D54AE98A9ADDA671382A3F7B90AE62665759FB30
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\WDDriveAPI.dllexecutable
MD5:18075B358565EBF45DAB30D2F398CE44
SHA256:FBDD831E7F98FC8E6182BD66EEE3627BF563972C7F89B71082D93C1B86CA2D35
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\1040\mbapreq.wxlxml
MD5:50261379B89457B1980FF19CFABE6A08
SHA256:A40C94EB33F8841C79E9F6958433AFFD517F97B4570F731666AF572E63178BB7
2852WD Backup.exeC:\Users\admin\AppData\Local\Temp\{1F128D8D-192B-4C67-8E35-8537525BA4FF}\.ba\1036\mbapreq.wxlxml
MD5:AA32A059AADD42431F7837CB1BE7257F
SHA256:88E7DDACD6B714D94D5322876BD50051479B7A0C686DC2E9EB06B3B7A0BC06C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1672
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1672
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2600
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
unknown
whitelisted
2600
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEH4ARelVJGiI%2FoCQDtLSH2A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.29
  • 23.216.77.21
  • 23.216.77.30
  • 23.216.77.19
  • 23.216.77.10
  • 23.216.77.33
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.69
  • 40.126.31.129
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.2
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WD Backup.exe