File name:

2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/e5f86048-af4b-42aa-9e4a-01b77711864f
Verdict: Malicious activity
Analysis date: April 29, 2025, 18:51:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
rust
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

FAB6AD8AD8AFD49199D3D5346F0CBD99

SHA1:

57BB44FBBCD765064961E7EDDCAEC5F49140B702

SHA256:

BBC4F49BD024CE23F952A1644451D68F80445E52E24E90FF448E5B9D2C1D7C0D

SSDEEP:

98304:B8WUp3P3b13Ob0EPGkxaqxGEA3Pu2N2qI81u/POuLr+Erc7IFYn/DLw/DBW0616b:STXJpOCQX6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1276)
      • powershell.exe (PID: 6744)

    • Changes powershell execution policy (Bypass)

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Adds path to the Windows Defender exclusion list

      • ReleaseDirect.exe (PID: 6576)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6744)

    • XORed URL has been found (YARA)

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Changes Windows Defender settings

      • ReleaseDirect.exe (PID: 6576)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain data on processes

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Drops 7-zip archiver for unpacking

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Executable content was dropped or overwritten

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • ReleaseDirect.exe (PID: 6576)

    • The process hides Powershell's copyright startup banner

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • ReleaseDirect.exe (PID: 6576)

    • Starts process via Powershell

      • powershell.exe (PID: 1276)
      • powershell.exe (PID: 6744)

    • The process bypasses the loading of PowerShell profile settings

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Uses NSLOOKUP.EXE to check DNS info

      • ReleaseDirect.exe (PID: 6576)
      • LearnLead.exe (PID: 6744)

    • Script adds exclusion path to Windows Defender

      • ReleaseDirect.exe (PID: 6576)

    • The process executes via Task Scheduler

      • LearnLead.exe (PID: 6744)

    • Executes as Windows Service

      • wsc_proxy.exe (PID: 5400)

    • Connects to unusual port

      • dllhost.exe (PID: 496)

    • Executes application which crashes

      • wsc_proxy.exe (PID: 5400)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 496)

  • INFO

    • Reads the computer name

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 1616)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • ReleaseDirect.exe (PID: 6576)
      • wsc_proxy.exe (PID: 5400)

    • The sample compiled with english language support

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 4208)

    • Creates files in the program directory

      • MIdCXYueaYVjpwb.exe (PID: 1616)
      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • wsc_proxy.exe (PID: 5400)
      • dllhost.exe (PID: 496)

    • Application based on Rust

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Checks proxy server information

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • dllhost.exe (PID: 496)
      • slui.exe (PID: 1348)

    • Checks supported languages

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 1616)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • ReleaseDirect.exe (PID: 6576)
      • LearnLead.exe (PID: 6744)
      • wsc_proxy.exe (PID: 5400)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6708)
      • WMIC.exe (PID: 6028)
      • dllhost.exe (PID: 496)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • ReleaseDirect.exe (PID: 6576)
      • LearnLead.exe (PID: 6744)

    • Application based on Golang

      • ReleaseDirect.exe (PID: 6576)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2644)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2644)

    • Reads the machine GUID from the registry

      • wsc_proxy.exe (PID: 5400)

    • Reads CPU info

      • wsc_proxy.exe (PID: 5400)

    • Reads the software policy settings

      • slui.exe (PID: 1348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(2852) 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
Decrypted-URLs (3)http://code.jquery.com/
http://wan.baidu.com/gift
http://xueshu.baidu.com
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:27 16:05:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 2279424
InitializedDataSize: 22918656
UninitializedDataSize: -
EntryPoint: 0x212828
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.1.0.0
ProductVersionNumber: 0.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: Copyright © 2023
ProductVersion: 0.1.0
FileVersion: 0.1.0
ProductName: Application Setup
FileDescription: Application Setup
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
31
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XOR-URL 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs midcxyueayvjpwb.exe no specs powershell.exe no specs conhost.exe no specs midcxyueayvjpwb.exe conhost.exe no specs releasedirect.exe nslookup.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs learnlead.exe no specs nslookup.exe conhost.exe no specs dllhost.exe no specs svchost.exe Virtual Factory for MaintenanceUI no specs dllhost.exe dllhost.exe no specs dllhost.exe no specs wsc_proxy.exe werfault.exe no specs Virtual Factory for MaintenanceUI no specs slui.exe 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\Desktop\2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Application Setup
Exit code:
3221226540
Version:
0.1.0
Modules
Images
c:\users\admin\desktop\2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
496 /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}C:\Windows\SysWOW64\dllhost.exe
ReleaseDirect.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMIdCXYueaYVjpwb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
928C:\WINDOWS\system32\DllHost.exe /Processid:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276"powershell" -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "Start-Process -NoNewWindow -Wait -FilePath \"C:\Program Files (x86)\BrokerAdminister\MIdCXYueaYVjpwb.exe\" -ArgumentList @(\"x\",'\"C:\Program Files (x86)\BrokerAdminister\InspireInvestigatorJubilant\"', '\"-p9)=88wzYxSImproveProtectorCreative\"', '-o\"C:\Program Files (x86)\BrokerAdminister\"', \"-y\")"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1276 /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}C:\Windows\SysWOW64\dllhost.exeReleaseDirect.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
32 385
Read events
31 329
Write events
27
Delete events
1 029

Modification events

(PID) Process:(2148) dllhost.exeKey:HKEY_CURRENT_USER\WEByte\Setup
Operation:delete valueName:kpi
Value:
(PID) Process:(6576) ReleaseDirect.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast
Operation:writeName:ProgramFolder
Value:
C:\Windows
(PID) Process:(496) dllhost.exeKey:HKEY_CURRENT_USER\WEByte\Setup
Operation:writeName:MarkTime
Value:
2025-04-29 18:52
(PID) Process:(5400) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\properties
Operation:writeName:UseRegistry
Value:
1
(PID) Process:(5400) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast\Wsc
Operation:writeName:IWscASStatus
Value:
Windows °²È«ÖÐÐÄ
(PID) Process:(5400) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast\Wsc
Operation:writeName:IWscAVStatus4
Value:
Windows °²È«ÖÐÐÄ
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile\wsc_proxy.exe|16071c0161cb698e
Operation:writeName:ProgramId
Value:
0006b6aa4fee73eab365f3bda034d8ea1e0e00000904
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile\wsc_proxy.exe|16071c0161cb698e
Operation:writeName:FileId
Value:
0000ff2d55a844c1fd37b3841cefa7e2d21de5fa8bac
Executable files
20
Suspicious files
12
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kf4nepno.tjd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1276powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:DEDC4C6EF77BA56159C7A83BFB6101F8
SHA256:6B61488130BDBD7C54A74531B72592B810966DFBB87C279CF0D5BDBE27151CBA
1276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rprrt1cf.bwq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1616MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\InfluenceBackerAstutecompressed
MD5:622C52C222A5835FC8653C85CA5439DF
SHA256:E94BF30D4A9982C84365D979DCCF844DB22524BE822C26E3AA1F58AABE0744B5
1276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gjfqbmei.r1r.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
28522025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeC:\Program Files (x86)\BrokerAdminister\InspireInvestigatorJubilantcompressed
MD5:A47FC9FF96285807EBAFB754D8F47DCD
SHA256:91161956EDF08F76352D77582416FF4940DA5FBA212563E05D8CFC97BD195199
28522025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeC:\Program Files (x86)\BrokerAdminister\MIdCXYueaYVjpwb.exeexecutable
MD5:E877ED2D9463E6729DB5768F23640AA4
SHA256:2E2E69B6E3DA6D3BB46207D1393D6253E96ECB7DD1C4D6A41EC41A55F1516549
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\2_WipeHumble.xmltext
MD5:66C2F2B7C82C90ED649CA54ACA141773
SHA256:894977B93AB4FDEB9179329672ACA2860D57A70F52B90CF7E69D1513D4D8CAC7
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\2_LearnLead.exeexecutable
MD5:D6F14C7A678C49C841C3C3D805FD6573
SHA256:0BFD82D554A7A8A32BE3D9A0914071B375E1F827DEF85410E36690BADDF867CC
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\wsc_proxy.exeexecutable
MD5:06807D8D7282959CE062F92A708D382F
SHA256:BD4635D582413F84AC83ADBB4B449B18BAC4FC87CA000D0C7BE84AD0F9CAF68E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
54
DNS requests
69
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1616
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2984
SIHClient.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2984
SIHClient.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2852
2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
GET
110.242.69.67:80
http://110.242.69.67:80/gift
unknown
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1616
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1616
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.126.29.7:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
40.126.29.7:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.164
  • 23.48.23.169
  • 23.48.23.159
  • 23.48.23.147
  • 23.48.23.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.29.7
  • 40.126.29.13
  • 20.190.157.11
  • 40.126.29.5
  • 40.126.29.12
  • 20.190.157.12
  • 20.190.157.9
  • 20.190.157.13
whitelisted
wan.baidu.com
  • 110.242.69.67
  • 110.242.69.7
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
2.100.168.192.in-addr.arpa
whitelisted
jiankang.baidu.com
  • 2.16.10.163
  • 2.16.10.183
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Process
Message
wsc_proxy.exe
[2025-04-29 18:52:02.303] [error ] [crashguard ] [ 5400: 5436] [E9669F: 103] Dump path 'C:\ProgramData\Avast Software\Avast\log' does not exist. Directory should be already created.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom