File name:

x269280.bat

Full analysis: https://app.any.run/tasks/ea8f7a0d-506e-4db5-b5c3-47e2b0bd52ef
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: December 23, 2024, 18:12:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zephyr
miner
susp-powershell
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

C36788578D91842B6781CC4A787FFCE7

SHA1:

ED4B8C7F263EFF747416F1F971EBFED6056FF20A

SHA256:

B89BC4C948D65DB77EA54A7C34ABB0DE5080CBD71B7E8AB38EF78A069B8F825B

SSDEEP:

12:EfQBu0YBKYoV5BQx1ijBG2BGfxBlc09B13Bu09QB1sYocYoU:xBeBQQxaBG2BGfxBe09B1BHQBy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZEPHYR has been detected

      • xcopy.exe (PID: 6680)
      • xcopy.exe (PID: 5400)
      • printui.exe (PID: 6356)

    • Adds path to the Windows Defender exclusion list

      • printui.exe (PID: 6356)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 6204)
      • cmd.exe (PID: 6216)

    • Creates or modifies Windows services

      • reg.exe (PID: 3560)

    • Starts CMD.EXE for self-deleting

      • printui.exe (PID: 6356)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 3224)

  • SUSPICIOUS

    • Process copies executable file

      • cmd.exe (PID: 6396)
      • cmd.exe (PID: 5464)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6396)
      • cmd.exe (PID: 5464)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6164)
      • printui.exe (PID: 6356)
      • console_zero.exe (PID: 6092)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6164)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6164)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 6680)
      • xcopy.exe (PID: 5400)
      • printui.exe (PID: 6356)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 7092)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7092)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 6204)
      • cmd.exe (PID: 6216)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7044)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 6204)
      • cmd.exe (PID: 6216)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5488)

    • Process drops legitimate windows executable

      • printui.exe (PID: 6356)

    • The process drops C-runtime libraries

      • printui.exe (PID: 6356)

    • Creates a new Windows service

      • sc.exe (PID: 6816)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5488)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 2144)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5028)

    • The process deletes folder without confirmation

      • printui.exe (PID: 6356)

    • Reads security settings of Internet Explorer

      • SecHealthUI.exe (PID: 6980)

  • INFO

    • Changes the display of characters in the console

      • cmd.exe (PID: 6396)
      • cmd.exe (PID: 5464)

    • The process uses the downloaded file

      • wscript.exe (PID: 6164)
      • WinRAR.exe (PID: 4308)
      • cmd.exe (PID: 5464)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 6488)
      • powershell.exe (PID: 6904)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6640)
      • explorer.exe (PID: 6864)

    • Manual execution by a user

      • wscript.exe (PID: 6164)
      • WinRAR.exe (PID: 4308)

    • The sample compiled with english language support

      • xcopy.exe (PID: 6680)
      • xcopy.exe (PID: 5400)
      • printui.exe (PID: 6356)

    • Checks supported languages

      • chcp.com (PID: 6460)
      • chcp.com (PID: 6252)
      • printui.exe (PID: 6356)
      • console_zero.exe (PID: 6092)
      • SecHealthUI.exe (PID: 6980)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • printui.exe (PID: 6356)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 6488)
      • powershell.exe (PID: 6904)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 6488)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 6904)

    • Sends debugging messages

      • SecHealthUI.exe (PID: 6980)

    • Reads the computer name

      • SecHealthUI.exe (PID: 6980)

    • Checks transactions between databases Windows and Oracle

      • SecurityHealthHost.exe (PID: 4596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
193
Monitored processes
58
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs #ZEPHYR xcopy.exe xcopy.exe no specs winrar.exe no specs rundll32.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs explorer.exe no specs explorer.exe no specs #ZEPHYR xcopy.exe xcopy.exe no specs printui.exe no specs printui.exe no specs #ZEPHYR printui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs sechealthui.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs console_zero.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs timeout.exe no specs timeout.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
648xcopy "x325336.dat" "C:\Windows \System32" /YC:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
2136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows\System32\svculdr64.dat"C:\Windows\System32\cmd.exeprintui.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2260timeout /t 16 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2452cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'C:\Windows\System32\cmd.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2484C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -EmbeddingC:\Windows\System32\SecurityHealthHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Security Health Host
Exit code:
0
Version:
4.18.1907.16384 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\securityhealthhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
2512C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3172powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3224cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /fC:\Windows\System32\cmd.exe
console_zero.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3560explorer "..\NEW VOLUME"C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
45 917
Read events
45 861
Write events
55
Delete events
1

Modification events

(PID) Process:(6640) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:MinimizedStateTabletModeOff
Value:
0
(PID) Process:(6640) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:QatItems
Value:
3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E
(PID) Process:(6640) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6640) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(6640) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(6640) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell
Operation:writeName:SniffedFolderType
Value:
Documents
(PID) Process:(6640) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
105
(PID) Process:(6640) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
0AA8696700000000
(PID) Process:(6640) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
040000000000000005000000020000000100000003000000FFFFFFFF
(PID) Process:(6640) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
Executable files
15
Suspicious files
4
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
4308WinRAR.exeC:\Users\admin\Desktop\test\rootdir\x325336.dat
MD5:
SHA256:
648xcopy.exeC:\Windows \System32\x325336.dat
MD5:
SHA256:
5464cmd.exeC:\Windows \System32\printui.dll
MD5:
SHA256:
4308WinRAR.exeC:\Users\admin\Desktop\test\rootdir\x269280.battext
MD5:C36788578D91842B6781CC4A787FFCE7
SHA256:B89BC4C948D65DB77EA54A7C34ABB0DE5080CBD71B7E8AB38EF78A069B8F825B
5400xcopy.exeC:\Windows \System32\printui.exeexecutable
MD5:E43252474ADF63E69B1FC65D202D88C3
SHA256:53DB039D9D46F2F3F80DF42C8BA48BB96CE4FB96C1BFCE5CD61514A7FF369411
4308WinRAR.exeC:\Users\admin\Desktop\test\rootdir\rootcomp.dattext
MD5:4BE1062CC854A22D081E4E48A7440A56
SHA256:CC5B8927042C9C363ED9D5301BC4E5ADBD3EB090562ADABC5B1461AD46598B54
4308WinRAR.exeC:\Users\admin\Desktop\test\NEW VOLUME.lnkbinary
MD5:498665E7A1985CA18C28653744F146E8
SHA256:3CC67C231B236B1BE933A7EAB1389C3119F8E33FBEC11115733C59587ECB4E8B
7044powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3FE98E0D97E8A9E7B7E95C3403073C12
SHA256:68993F7578DC49D9C5F99982E98C5A12DF32219425799A66DF79ADDEC171D457
6356printui.exeC:\Windows\System32\svculdr64.datexecutable
MD5:274B1840839ADB90CE331A7C702BD83A
SHA256:469CCF15CFAAD396E385C553E4EAB9239A10BAB1C7D6505D31D38FB1C15AE4BF
7044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wjxu2hgf.5tc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
44
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3296
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3296
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6240
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6240
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
372
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3296
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3296
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
4160
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.177
  • 2.23.209.148
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.75
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x269280.bat