File name:

Microsoft_Security_Essentials.exe

Full analysis: https://app.any.run/tasks/6cda1449-34a5-4e3f-af76-302d607c6738
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 28, 2020, 20:42:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AE1B867937C6A26F2CACBF24AA415948

SHA1:

A6BDF709456B2E469C74A481EA94D9680E12B5C5

SHA256:

C570211DD10ED0D85BB16BC1D09214EC4893CCA85282E673F833099C60F72ECD

SSDEEP:

49152:DzAHYd48o6OhXnbuVkNwGv/qRhsVaDGHgZiBrTL/L0ML8adHEKxLe24+:DEHYdD9vhssyAZi6cHr7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 58a3ab93445391306ebd.exe (PID: 1400)
      • epplauncher.exe (PID: 3556)
      • Setup.exe (PID: 3860)
      • MsMpEng.exe (PID: 620)
      • MpCmdRun.exe (PID: 2960)
      • MpCmdRun.exe (PID: 1968)
      • MpCmdRun.exe (PID: 3380)
      • MpCmdRun.exe (PID: 2832)
      • msseces.exe (PID: 3840)

    • Actions looks like stealing of personal data

      • epplauncher.exe (PID: 3556)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3860)
      • svchost.exe (PID: 868)
      • services.exe (PID: 472)
      • MsMpEng.exe (PID: 620)
      • msseces.exe (PID: 3840)
      • MpCmdRun.exe (PID: 2960)
      • MpCmdRun.exe (PID: 1968)
      • MpCmdRun.exe (PID: 3380)
      • MpCmdRun.exe (PID: 2832)

    • Loads the Task Scheduler COM API

      • MsiExec.exe (PID: 3452)
      • sppsvc.exe (PID: 1844)

    • Modifies Windows Defender service settings

      • services.exe (PID: 472)

    • Changes settings of System certificates

      • svchost.exe (PID: 868)
      • epplauncher.exe (PID: 3556)

  • SUSPICIOUS

    • Changes IE settings (feature browser emulation)

      • Microsoft_Security_Essentials.exe (PID: 916)

    • Executable content was dropped or overwritten

      • Microsoft_Security_Essentials.exe (PID: 916)
      • 58a3ab93445391306ebd.exe (PID: 1400)
      • msiexec.exe (PID: 3084)
      • MsiExec.exe (PID: 3452)
      • Setup.exe (PID: 3860)
      • svchost.exe (PID: 868)

    • Reads internet explorer settings

      • Microsoft_Security_Essentials.exe (PID: 916)

    • Creates files in the program directory

      • epplauncher.exe (PID: 3556)
      • Setup.exe (PID: 3860)
      • MsMpEng.exe (PID: 620)
      • wermgr.exe (PID: 700)
      • wermgr.exe (PID: 3284)
      • wermgr.exe (PID: 2732)
      • wermgr.exe (PID: 1896)

    • Removes files from Windows directory

      • MsiExec.exe (PID: 3452)
      • svchost.exe (PID: 868)
      • wermgr.exe (PID: 700)
      • wermgr.exe (PID: 2732)
      • wermgr.exe (PID: 1896)

    • Creates files in the Windows directory

      • MsiExec.exe (PID: 3452)
      • svchost.exe (PID: 868)
      • MpCmdRun.exe (PID: 2960)
      • MpCmdRun.exe (PID: 2832)
      • Setup.exe (PID: 3860)

    • Creates files in the driver directory

      • MsiExec.exe (PID: 3452)

    • Creates or modifies windows services

      • services.exe (PID: 472)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3084)

    • Creates COM task schedule object

      • msiexec.exe (PID: 3084)

    • Executed as Windows Service

      • MsMpEng.exe (PID: 620)

    • Creates a software uninstall entry

      • Setup.exe (PID: 3860)

    • Creates files in the user directory

      • Setup.exe (PID: 3860)

    • Adds / modifies Windows certificates

      • svchost.exe (PID: 868)
      • epplauncher.exe (PID: 3556)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3084)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2436)
      • MsiExec.exe (PID: 3452)

    • Creates files in the program directory

      • msiexec.exe (PID: 3084)

    • Reads settings of System Certificates

      • epplauncher.exe (PID: 3556)
      • svchost.exe (PID: 868)

    • Creates or modifies windows services

      • msiexec.exe (PID: 3084)
      • MsiExec.exe (PID: 3452)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3084)

    • Dropped object may contain Bitcoin addresses

      • MpCmdRun.exe (PID: 2960)
      • MpCmdRun.exe (PID: 1968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:02:11 12:50:49+01:00
PEType: PE32
LinkerVersion: 14
CodeSize: 1239552
InitializedDataSize: 1121792
UninitializedDataSize: -
EntryPoint: 0xa8a4a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Feb-2020 11:50:49
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • C:\develop\onlinesetupscript-innosetup\ewb\Release\Installer.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000138

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 11-Feb-2020 11:50:49
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0012E8C6
0x0012EA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.52164
.rdata
0x00130000
0x0005799E
0x00057A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.32908
.data
0x00188000
0x00009BA0
0x00006A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.46921
.gfids
0x00192000
0x000008FC
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.86655
.tls
0x00193000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00194000
0x000A1858
0x000A1A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.9567
.reloc
0x00236000
0x000113C8
0x00011400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.6071

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89623
392
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.00191
2440
Latin 1 / Western European
Russian - Russia
RT_ICON
3
4.81395
4264
Latin 1 / Western European
Russian - Russia
RT_ICON
4
4.5487
9640
Latin 1 / Western European
Russian - Russia
RT_ICON
5
4.47802
16936
Latin 1 / Western European
Russian - Russia
RT_ICON
6
4.24993
67624
Latin 1 / Western European
Russian - Russia
RT_ICON
7
2.79915
130
Latin 1 / Western European
Russian - Russia
RT_STRING
8
2.82161
4264
Latin 1 / Western European
Russian - Russia
RT_ICON
9
2.9458
1128
Latin 1 / Western European
Russian - Russia
RT_ICON
29
3.29502
308
Latin 1 / Western European
Russian - Russia
RT_STRING

Imports

ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WS2_32.dll

Exports

Title
Ordinal
Address
_EmbeddedWebBrowserAbort@4
1
0x000149B0
_EmbeddedWebBrowserCheckItem@8
2
0x00014890
_EmbeddedWebBrowserCheckOffersContent@20
3
0x00014B90
_EmbeddedWebBrowserCreate@28
4
0x0000DFF0
_EmbeddedWebBrowserDestroy@4
5
0x00014680
_EmbeddedWebBrowserGetLastClick@8
6
0x00014870
_EmbeddedWebBrowserGetOfferIndex@4
7
0x00015260
_EmbeddedWebBrowserGetOffersCount@4
8
0x00015210
_EmbeddedWebBrowserGetPage@4
9
0x00014A90
_EmbeddedWebBrowserGetTitleBarHeight@0
10
0x00015290
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
23
Malicious processes
13
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start microsoft_security_essentials.exe 58a3ab93445391306ebd.exe epplauncher.exe setup.exe msiexec.exe msiexec.exe no specs msiexec.exe services.exe no specs msmpeng.exe no specs svchost.exe wermgr.exe msseces.exe eventcreate.exe no specs mpcmdrun.exe no specs sppsvc.exe no specs wermgr.exe no specs svchost.exe wermgr.exe no specs mpcmdrun.exe no specs mpcmdrun.exe no specs mpcmdrun.exe wermgr.exe no specs microsoft_security_essentials.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472C:\Windows\system32\services.exeC:\Windows\System32\services.exewininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Services and Controller app
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
620"c:\Program Files\Microsoft Security Client\MsMpEng.exe"c:\Program Files\Microsoft Security Client\MsMpEng.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Antimalware Service Executable
Exit code:
0
Version:
4.10.0209.0
Modules
Images
c:\program files\microsoft security client\msmpeng.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
700"C:\Windows\system32\wermgr.exe" "-outproc" "868" "4664" C:\Windows\system32\wermgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wermgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
868C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
916"C:\Users\admin\AppData\Local\Temp\Microsoft_Security_Essentials.exe" C:\Users\admin\AppData\Local\Temp\Microsoft_Security_Essentials.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\microsoft_security_essentials.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1000"C:\Users\admin\AppData\Local\Temp\Microsoft_Security_Essentials.exe" C:\Users\admin\AppData\Local\Temp\Microsoft_Security_Essentials.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\microsoft_security_essentials.exe
c:\systemroot\system32\ntdll.dll
1400C:\Users\admin\AppData\Local\Temp\install\0\58a3ab93445391306ebd.exeC:\Users\admin\AppData\Local\Temp\install\0\58a3ab93445391306ebd.exe
Microsoft_Security_Essentials.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MSEInstall Package
Exit code:
0
Version:
4.10.0209.0
Modules
Images
c:\users\admin\appdata\local\temp\install\0\58a3ab93445391306ebd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1732"C:\Windows\system32\EventCreate.exe" /L APPLICATION /T INFORMATION /SO "Microsoft Security Client Setup" /ID 100 /D "HRESULT:0x00000000 Description:The operation completed successfully. "C:\Windows\system32\EventCreate.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Create - Creates a custom event in an event log
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\eventcreate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1844C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Software Protection Platform Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sppsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1896"C:\Windows\system32\wermgr.exe" "-outproc" "868" "3180" C:\Windows\system32\wermgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wermgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
7 144
Read events
4 734
Write events
2 381
Delete events
29

Modification events

(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
10000
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
10000
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
10000
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
(PID) Process:(916) Microsoft_Security_Essentials.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI
Operation:writeName:Microsoft_Security_Essentials.exe
Value:
1
Executable files
69
Suspicious files
22
Text files
68
Unknown types
16

Dropped files

PID
Process
Filename
Type
140058a3ab93445391306ebd.exeC:\9b7399fd66a01719cfba480c\x86\epp.msi
MD5:
SHA256:
868svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\install\0\offer0.htmlhtml
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\conn.htmhtml
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\1.pngimage
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\2.pngimage
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\0.pngimage
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\4.pngimage
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\3.pngimage
MD5:
SHA256:
916Microsoft_Security_Essentials.exeC:\Users\admin\AppData\Local\Temp\installer\5.pngimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
36
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3284
wermgr.exe
GET
51.143.111.81:80
http://watson.microsoft.com/StageOne/Generic/MSSecurityClient/Setup_exe/4_10_209_0/0x80070003/MorroBootstraper__CInstallFlow__InternalRunEpp%20-%20GetBackupAction/MorroBootstraper__CFlow__ProcessFlowActionResult/0/Security%20Essentials.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL
US
whitelisted
HEAD
200
8.247.205.126:80
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2006282044
US
whitelisted
HEAD
200
8.247.205.126:80
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2006282044
US
whitelisted
HEAD
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-legacy-muredir.cab?2006282044
US
compressed
23.3 Kb
whitelisted
GET
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-legacy-muauth.cab?2006282044
US
compressed
23.3 Kb
whitelisted
HEAD
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-legacy-muredir.cab?2006282044
US
compressed
22.9 Kb
whitelisted
HEAD
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-legacy-muauth.cab?2006282044
US
compressed
23.3 Kb
whitelisted
916
Microsoft_Security_Essentials.exe
GET
301
88.212.252.27:80
http://softrary.com/api/offers/912/4DEF171F-177A-356F-956F-E049CF28E3AE
RU
html
162 b
malicious
GET
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-legacy-muredir.cab?2006282044
US
compressed
22.9 Kb
whitelisted
916
Microsoft_Security_Essentials.exe
GET
301
88.212.252.27:80
http://softrary.com/download/912/{4DEF171F-177A-356F-956F-E049CF28E3AE}/4E3014F88A1776A95D57E2AE3211A742FF35E455C4BA3647840D3F88CBE93699DA9581CA4AEBB3D68F3D66AD/1/0
RU
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
916
Microsoft_Security_Essentials.exe
88.212.252.27:80
softrary.com
Servers.com, Inc.
RU
malicious
916
Microsoft_Security_Essentials.exe
88.212.252.27:443
softrary.com
Servers.com, Inc.
RU
malicious
3284
wermgr.exe
51.143.111.81:80
watson.microsoft.com
Microsoft Corporation
US
suspicious
8.247.205.126:80
download.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
40.91.124.111:443
www.update.microsoft.com
Microsoft Corporation
US
unknown
2832
MpCmdRun.exe
92.123.32.24:443
www.microsoft.com
Akamai Technologies, Inc.
whitelisted
2832
MpCmdRun.exe
23.57.80.230:443
definitionupdates.microsoft.com
Akamai Technologies, Inc.
US
whitelisted
2832
MpCmdRun.exe
23.43.200.93:80
go.microsoft.com
Akamai International B.V.
US
unknown
13.107.4.50:80
ds.download.windowsupdate.com
Microsoft Corporation
US
whitelisted
3840
msseces.exe
23.43.200.93:80
go.microsoft.com
Akamai International B.V.
US
unknown

DNS requests

Domain
IP
Reputation
softrary.com
  • 88.212.252.27
malicious
watson.microsoft.com
  • 51.143.111.81
whitelisted
download.windowsupdate.com
  • 8.247.205.126
whitelisted
ds.download.windowsupdate.com
  • 13.107.4.50
whitelisted
sqm.microsoft.com
unknown
www.update.microsoft.com
  • 40.91.124.111
whitelisted
go.microsoft.com
  • 23.43.200.93
whitelisted
www.microsoft.com
  • 92.123.32.24
whitelisted
definitionupdates.microsoft.com
  • 23.57.80.230
whitelisted

Threats

PID
Process
Class
Message
3284
wermgr.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
3284
wermgr.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
Setup.exe
Invalid parameter passed to C runtime function.
Setup.exe
Invalid parameter passed to C runtime function.
wermgr.exe
wermgr.exe
wermgr.exe
Error -
wermgr.exe
wermgr.exe
Error -
wermgr.exe
ReadProcessMemory failed while trying to read PebBaseAddress
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Microsoft_Security_Essentials.exe