File name:

Admin By Request 8.3 Workstation.msi

Full analysis: https://app.any.run/tasks/90211b04-b1e8-42ec-b815-a3976e5aeafd
Verdict: Malicious activity
Analysis date: June 18, 2024, 21:01:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Admin By Request Workstation, Author: FastTrack Software, Keywords: Installer, Comments: Admin By Request Workstation 8.3.1.0, Template: Intel;1033, Revision Number: {A246AF5A-3A17-4FAB-8247-FE56D9D56BAF}, Create Time/Date: Tue Jun 18 20:43:20 2024, Last Saved Time/Date: Tue Jun 18 20:43:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 2
MD5:

0857F6C79B81FC1035BB4E7CD00F41A3

SHA1:

CFA9C12E6490E2339AF391A2AC6F449F1A304995

SHA256:

B660029AA90A59A136366E534CA2CF68AC8A8372313FB4A98728955668B7E4B1

SSDEEP:

98304:CHopsdwY+fVU/C7w0XM6VNuGW58C26mHsPKXJ3zEr70ODrcbguLXp5Re4DwPEWax:ii

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3424)
      • msiexec.exe (PID: 3396)
      • Audckq32.exe (PID: 3084)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3396)
      • Audckq32.exe (PID: 3084)
      • adminbyrequest.exe (PID: 4052)

    • Creates a writable file in the system directory

      • Audckq32.exe (PID: 3084)

    • Application was injected by another process

      • explorer.exe (PID: 1296)

    • Runs injected code in another process

      • Shell.exe (PID: 3404)

    • UAC/LUA settings modification

      • Audckq32.exe (PID: 3084)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 3204)
      • Audckq32.exe (PID: 3084)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3396)
      • Audckq32.exe (PID: 3084)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3396)
      • Audckq32.exe (PID: 3084)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 3396)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 3396)
      • Audckq32.exe (PID: 3084)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3396)

    • Executable content was dropped or overwritten

      • Audckq32.exe (PID: 3084)

    • Reads security settings of Internet Explorer

      • adminbyrequest.exe (PID: 4052)

    • Reads the Internet Settings

      • adminbyrequest.exe (PID: 4052)

    • Changes default file association

      • adminbyrequest.exe (PID: 4052)

    • Searches for installed software

      • Audckq32.exe (PID: 3084)

    • The process executes via Task Scheduler

      • Wafbsr32.exe (PID: 2276)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3424)
      • explorer.exe (PID: 1296)

    • Checks supported languages

      • msiexec.exe (PID: 3396)
      • Switchback.exe (PID: 932)
      • Audckq32.exe (PID: 3084)
      • Shell.exe (PID: 3404)
      • Wafbsr32.exe (PID: 2276)
      • adminbyrequest.exe (PID: 4052)

    • Reads the computer name

      • msiexec.exe (PID: 3396)
      • Switchback.exe (PID: 932)
      • Audckq32.exe (PID: 3084)
      • adminbyrequest.exe (PID: 4052)
      • Wafbsr32.exe (PID: 2276)

    • Reads the software policy settings

      • msiexec.exe (PID: 3424)
      • msiexec.exe (PID: 3396)
      • Audckq32.exe (PID: 3084)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3396)
      • Switchback.exe (PID: 932)
      • Audckq32.exe (PID: 3084)
      • Wafbsr32.exe (PID: 2276)
      • adminbyrequest.exe (PID: 4052)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3396)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3396)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3396)

    • Reads Environment values

      • Audckq32.exe (PID: 3084)
      • adminbyrequest.exe (PID: 4052)

    • Creates files in the program directory

      • Audckq32.exe (PID: 3084)

    • Disables trace logs

      • Audckq32.exe (PID: 3084)
      • adminbyrequest.exe (PID: 4052)

    • Reads CPU info

      • Audckq32.exe (PID: 3084)

    • Creates files or folders in the user directory

      • adminbyrequest.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Admin By Request Workstation
Author: FastTrack Software
Keywords: Installer
Comments: Admin By Request Workstation 8.3.1.0
Template: Intel;1033
RevisionNumber: {A246AF5A-3A17-4FAB-8247-FE56D9D56BAF}
CreateDate: 2024:06:18 20:43:20
ModifyDate: 2024:06:18 20:43:20
Pages: 200
Words: 2
Software: Windows Installer XML (3.5.2519.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs switchback.exe no specs audckq32.exe adminbyrequest.exe shell.exe no specs wafbsr32.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
932"C:\Program Files\FastTrack Software\Admin By Request\Switchback.exe" /CheckRuntimeC:\Program Files\FastTrack Software\Admin By Request\Switchback.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Switchback
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\fasttrack software\admin by request\switchback.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1296C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2276"C:\Program Files\Common Files\VAudio\WAFBSR32.exe" C:\Program Files\Common Files\VAudio\Wafbsr32.exetaskeng.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Watchdog
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\common files\vaudio\wafbsr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3084"C:\Program Files\Common Files\VAudio\Audckq32.exe"C:\Program Files\Common Files\VAudio\Audckq32.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Audio provider
Version:
8.3.1.0
Modules
Images
c:\program files\common files\vaudio\audckq32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3204C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3396C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3404"C:\Program Files\FastTrack Software\Admin By Request\shell.exe" C:\Program Files\FastTrack Software\Admin By Request\Shell.exeadminbyrequest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\fasttrack software\admin by request\shell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\programdata\fasttrack software\admin by request\shell.dll
3424"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Admin By Request 8.3 Workstation.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4052"C:\Program Files\FastTrack Software\Admin By Request\adminbyrequest.exe"C:\Program Files\FastTrack Software\Admin By Request\adminbyrequest.exe
Audckq32.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Admin By Request
Version:
8.3.1.0
Modules
Images
c:\program files\fasttrack software\admin by request\adminbyrequest.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
32 224
Read events
31 707
Write events
500
Delete events
17

Modification events

(PID) Process:(1296) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB010000000A82066E518DA4419A50D76DC5E2963D0000000002000000000010660000000100002000000060FD4D95194EF83BCC1FF4D2A48929933CD8A0EB3D545CB75B7FC09CCE5654BE000000000E80000000020000200000001B0FCB3E360D49EA6F8F3B145C9597318246CB8FDEA349EBE2D27680F8F2BE803000000039F2D382AF56A6B288BE7396260A0C6EFB07DD6DDDB17A52F542024A32C58B5219DC2959A9150DC3EEE764DC3EB9A5F3400000003E991413B88EC04D349E08C09D7320D3901CE6C498F424B65C1D44756B2A0FF3FD53622B1E422226857D4882FBA6AFCFC0144E97308126E2F7DA9D69786752DC
(PID) Process:(3424) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1296) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre
Value:
00000000000000000200000008FE0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(1296) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000DF01000052030000A4CC9801440000008A000000427732007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000F8E2A100FFFFFFFF482F2A00FFFFFFFF70594E75000000000000000094E2A1007C904A750004000000000000F8E2A100FFFFFFFF482F2A00FFFFFFFF98F72900E8FA2900402F2A00C4E2A100F7AF017680D0347604F0A100081D0276E4610276E8232800F8E2A10000000000840000000A70D6A8D8E2A100A1690276E8232800F8E2A1000000000004E5A1003F610276E8232800F8E2A10000000400000000804C610276E823280063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D00690063001100000090522800885228005C006900BCE300009A71D6A86CE3A1005E900276BCE3A10034550000A671D6A880E3A100929B0276385505024C06000098E3A100A8500502A4E3A100549B02761290027611000000905228008852280040E4A100C850050210E400006671D6A8C0E3A1005E90027610E4A100C4E3A100039402760000000034550502ECE3A100A99302763455050298E4A100A8500502BD93027600000000A850050298E4A100F4E3A100440000008A000000427732007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000F8E2A100FFFFFFFF482F2A00FFFFFFFF70594E75000000000000000094E2A1007C904A750004000000000000F8E2A100FFFFFFFF482F2A00FFFFFFFF98F72900E8FA2900402F2A00C4E2A100F7AF017680D0347604F0A100081D0276E4610276E8232800F8E2A10000000000840000000A70D6A8D8E2A100A1690276E8232800F8E2A1000000000004E5A1003F610276E8232800F8E2A10000000400000000804C610276E823280063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D00690063001100000090522800885228005C006900BCE300009A71D6A86CE3A1005E900276BCE3A10034550000A671D6A880E3A100929B0276385505024C06000098E3A100A8500502A4E3A100549B02761290027611000000905228008852280040E4A100C850050210E400006671D6A8C0E3A1005E90027610E4A100C4E3A100039402760000000034550502ECE3A100A99302763455050298E4A100A8500502BD93027600000000A850050298E4A100F4E3A100440000008A000000427732007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000F8E2A100FFFFFFFF482F2A00FFFFFFFF70594E75000000000000000094E2A1007C904A750004000000000000F8E2A100FFFFFFFF482F2A00FFFFFFFF98F72900E8FA2900402F2A00C4E2A100F7AF017680D0347604F0A100081D0276E4610276E8232800F8E2A10000000000840000000A70D6A8D8E2A100A1690276E8232800F8E2A1000000000004E5A1003F610276E8232800F8E2A10000000400000000804C610276E823280063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006D00690063001100000090522800885228005C006900BCE300009A71D6A86CE3A1005E900276BCE3A10034550000A671D6A880E3A100929B0276385505024C06000098E3A100A8500502A4E3A100549B02761290027611000000905228008852280040E4A100C850050210E400006671D6A8C0E3A1005E90027610E4A100C4E3A100039402760000000034550502ECE3A100A99302763455050298E4A100A8500502BD93027600000000A850050298E4A100F4E3A100
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000727F55D0C2C1DA01440D00007C0E0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000CCE157D0C2C1DA01440D00007C0E0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000287BB2D0C2C1DA01440D00007C0E0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000287BB2D0C2C1DA01440D0000480C0000E80300000100000000000000000000006889467F55AE4245BD45BBD4EA370C670000000000000000
(PID) Process:(3204) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000036A2B9D0C2C1DA01840C00007C0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
20
Suspicious files
13
Text files
9
Unknown types
5

Dropped files

PID
Process
Filename
Type
3396msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3396msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{7f468968-ae55-4542-bd45-bbd4ea370c67}_OnDiskSnapshotPropbinary
MD5:49C341478F985C53E303C81BB35B53F4
SHA256:C052905A9DA55713FA711DBF7DBC329360B45B15DF662C56F6B0102931614FAF
3396msiexec.exeC:\Windows\Installer\5306f.ipibinary
MD5:58377F9B7DBFAFE24D1C240889034DBF
SHA256:E6BDC07492A42CCE3B5883CEDE28880E6B69E16DB629088CF6EDCF41AC3E91CD
3396msiexec.exeC:\Windows\Installer\MSI338B.tmpbinary
MD5:1C2A54ACFCEF896CD3D417201B5A1041
SHA256:CD992628E00C367FBACF0341FB431B90B1D1373D531726CE2BC2CB0990C9B9FD
3396msiexec.exeC:\Program Files\FastTrack Software\Admin By Request\AdminByRequest.exeexecutable
MD5:1C36E742813872FE0A7EAD5D99AF8F46
SHA256:335D76AFB270F825D1BE0FD1249DDF08E4DAB64E34C1E52AC216D210A5E3D044
3396msiexec.exeC:\Program Files\FastTrack Software\Admin By Request\Switchback.exe.configxml
MD5:6849F01BA593D813EE23A681403186F2
SHA256:38C1D53F93FDD2B017474B9A7E548BBFAB75EC4A737330EE420385ED264F2CD3
3396msiexec.exeC:\Program Files\FastTrack Software\Admin By Request\ShellHandler32.exeexecutable
MD5:C92F1609CCC8E50B25C11791E607B6B6
SHA256:8D5C3776A4F6F6C2ED5AE4E1A92A0BAD9876C41DDA997B779C6993B3983C37FE
3396msiexec.exeC:\Program Files\FastTrack Software\Admin By Request\Switchback.exeexecutable
MD5:620700C37366A9F66B0E290F7D750E6F
SHA256:46E282424FABA3560E574D1B1398A675C8220882DDAE309A412D41DAD8994D18
3396msiexec.exeC:\Program Files\FastTrack Software\Admin By Request\ShellHelper32.dllexecutable
MD5:3995260518373F4FDBB5B2B8DCD4395A
SHA256:8B27C7FEF77ED2646B9AD74D360DA1FE610E89E19E08ADB7A5133E391D3FD49A
3396msiexec.exeC:\Program Files\Common Files\VAudio\Audckq32.cfgtext
MD5:183CABC36247DBF221BE2FDC77AEB9F9
SHA256:64B34E73C69E2D1BB2203F666DED40261285F93F1614090E150E68883BA30A70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
72.247.153.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3084
Audckq32.exe
GET
304
72.247.153.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?28687b728381fc1a
unknown
unknown
3084
Audckq32.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
unknown
1372
svchost.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3084
Audckq32.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
unknown
3084
Audckq32.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAhEhm9tYYXSsl4OtiIihwE%3D
unknown
unknown
1060
svchost.exe
GET
304
72.247.153.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
72.247.153.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
104.124.11.17:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
3084
Audckq32.exe
137.117.73.20:443
api2.adminbyrequest.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3084
Audckq32.exe
72.247.153.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3084
Audckq32.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 72.247.153.178
  • 72.247.153.162
whitelisted
crl.microsoft.com
  • 104.124.11.17
  • 104.124.11.58
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted
api2.adminbyrequest.com
  • 137.117.73.20
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Admin By Request 8.3 Workstation.msi