File name:

2.exe

Full analysis: https://app.any.run/tasks/2f4b984e-e798-456d-9b3a-25c3db90de07
Verdict: Malicious activity
Analysis date: July 12, 2025, 03:43:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
wsftprm-sys
vuln-driver
xor-url
generic
winos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

27DE58CDE15D6D57FF0AA08611F2687D

SHA1:

A4658591A7D67AA275EB483C3040671FB9070876

SHA256:

CDA35659CA76F5CE32A7BB98F59FEFB00DF0EB7F2A19D89B9BCA7B15A9DB3227

SSDEEP:

393216:05h9C3GSo2s5gg0bLWIRL2YLStMFWpiEeB7H51NpMK/hMxUTdzgvJmCiI86/0Bgx:HSagkrStsWleB75cURzYMI86cBgynw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • Yioosttery.exe (PID: 3588)

    • Adds path to the Windows Defender exclusion list

      • Yioosttery.exe (PID: 3588)

    • Changes Windows Defender settings

      • Yioosttery.exe (PID: 3588)

    • WINOS has been detected (YARA)

      • QMUpload.exe (PID: 1652)
      • QMUpload.exe (PID: 1948)

    • XORed URL has been found (YARA)

      • Yioosttery.exe (PID: 3588)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2.exe (PID: 3872)
      • 2.exe (PID: 6400)
      • 2.tmp (PID: 3392)
      • Yioosttery.exe (PID: 3588)

    • Reads security settings of Internet Explorer

      • 2.tmp (PID: 4500)

    • Reads the Windows owner or organization settings

      • 2.tmp (PID: 3392)

    • Script adds exclusion path to Windows Defender

      • Yioosttery.exe (PID: 3588)

    • The process drops C-runtime libraries

      • Yioosttery.exe (PID: 3588)

    • Process drops legitimate windows executable

      • Yioosttery.exe (PID: 3588)

    • Detected use of alternative data streams (AltDS)

      • Yioosttery.exe (PID: 3588)

    • Executes as Windows Service

      • QMUpload.exe (PID: 1652)

    • Application launched itself

      • QMUpload.exe (PID: 1652)

    • Starts POWERSHELL.EXE for commands execution

      • Yioosttery.exe (PID: 3588)

    • Connects to unusual port

      • QMUpload.exe (PID: 1948)

    • There is functionality for taking screenshot (YARA)

      • QMUpload.exe (PID: 1948)
      • QMUpload.exe (PID: 1652)
      • Yioosttery.exe (PID: 3588)

  • INFO

    • Checks supported languages

      • 2.tmp (PID: 4500)
      • 2.exe (PID: 3872)
      • 2.exe (PID: 6400)
      • 2.tmp (PID: 3392)
      • Yioosttery.exe (PID: 3588)
      • QMUpload.exe (PID: 1652)
      • QMUpload.exe (PID: 1948)

    • Create files in a temporary directory

      • 2.exe (PID: 3872)
      • 2.exe (PID: 6400)
      • 2.tmp (PID: 3392)
      • Yioosttery.exe (PID: 3588)

    • Process checks computer location settings

      • 2.tmp (PID: 4500)

    • Reads the computer name

      • 2.tmp (PID: 4500)
      • 2.exe (PID: 6400)
      • 2.tmp (PID: 3392)
      • Yioosttery.exe (PID: 3588)
      • QMUpload.exe (PID: 1652)
      • QMUpload.exe (PID: 1948)

    • Creates files or folders in the user directory

      • 2.tmp (PID: 3392)

    • The sample compiled with english language support

      • 2.tmp (PID: 3392)
      • Yioosttery.exe (PID: 3588)

    • Creates files in the program directory

      • Yioosttery.exe (PID: 3588)

    • The sample compiled with chinese language support

      • Yioosttery.exe (PID: 3588)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4936)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4936)

    • Reads the software policy settings

      • slui.exe (PID: 1944)

    • Checks proxy server information

      • slui.exe (PID: 1944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(3588) Yioosttery.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 171520
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: K4HJ36GKHJ345G6JH543G6JHG56JH3G6 Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: K4HJ36GKHJ345G6JH543G6JHG56JH3G6
ProductVersion: 14.5.62.335
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
10
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2.exe 2.tmp no specs 2.exe 2.tmp #XOR-URL yioosttery.exe #WINOS qmupload.exe no specs #WINOS qmupload.exe powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1480\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1652C:\ProgramData\p5G9k8fJ\QMUpload.exeC:\ProgramData\p5G9k8fJ\QMUpload.exe
services.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯电脑管家-下载中心
Version:
17.6.27115.207
Modules
Images
c:\programdata\p5g9k8fj\qmupload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1944C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1948"C:\ProgramData\p5G9k8fJ\QMUpload.exe"C:\ProgramData\p5G9k8fJ\QMUpload.exe
QMUpload.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯电脑管家-下载中心
Version:
17.6.27115.207
Modules
Images
c:\programdata\p5g9k8fj\qmupload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
3392"C:\Users\admin\AppData\Local\Temp\is-HNOS8.tmp\2.tmp" /SL5="$802C8,57456327,857600,C:\Users\admin\AppData\Local\Temp\2.exe" /SPAWNWND=$702E4 /NOTIFYWND=$E0330 C:\Users\admin\AppData\Local\Temp\is-HNOS8.tmp\2.tmp
2.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-hnos8.tmp\2.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
3588"C:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\Yioosttery.exe"C:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\Yioosttery.exe
2.tmp
User:
admin
Company:
Cfx.re
Integrity Level:
HIGH
Description:
GTA5VN
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\yjytdjrdtydrthjdtjdjrdjdhfdfhdrhfjftjgssegsef\yioosttery.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\win32u.dll
xor-url
(PID) Process(3588) Yioosttery.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
(PID) Process(3588) Yioosttery.exe
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
3872"C:\Users\admin\AppData\Local\Temp\2.exe" C:\Users\admin\AppData\Local\Temp\2.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
K4HJ36GKHJ345G6JH543G6JHG56JH3G6 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
4500"C:\Users\admin\AppData\Local\Temp\is-19UB3.tmp\2.tmp" /SL5="$E0330,57456327,857600,C:\Users\admin\AppData\Local\Temp\2.exe" C:\Users\admin\AppData\Local\Temp\is-19UB3.tmp\2.tmp2.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-19ub3.tmp\2.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4936powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\ProgramData\p5G9k8fJ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeYioosttery.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6400"C:\Users\admin\AppData\Local\Temp\2.exe" /SPAWNWND=$702E4 /NOTIFYWND=$E0330 C:\Users\admin\AppData\Local\Temp\2.exe
2.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
K4HJ36GKHJ345G6JH543G6JHG56JH3G6 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
Total events
6 867
Read events
6 866
Write events
1
Delete events
0

Modification events

(PID) Process:(3588) Yioosttery.exeKey:HKEY_CURRENT_USER\SOFTWARE\CitizenFX\GTA5VN
Operation:writeName:Last Run Location
Value:
C:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\
Executable files
10
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
33922.tmpC:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\is-MN6QJ.tmp
MD5:
SHA256:
33922.tmpC:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\Potato_安装包.exe
MD5:
SHA256:
3588Yioosttery.exeC:\ProgramData\p5G9k8fJ\QMStuck.dll
MD5:
SHA256:
33922.tmpC:\Users\admin\AppData\Local\Temp\is-7KJS3.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
33922.tmpC:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\README.mdbinary
MD5:5515EE6F136C87EAB65B9D35999C67E9
SHA256:7D91C09221A2625D0743637E8418EB64F2E7390A17F8D7B5D826DB60021216F0
38722.exeC:\Users\admin\AppData\Local\Temp\is-19UB3.tmp\2.tmpexecutable
MD5:AAE6067DCCA5C621B199F56E295654CE
SHA256:28DE1CD08957B0630A4E9A21ED9A739CD0C718939525EFB106D0D3ED0491A460
33922.tmpC:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\is-CE48U.tmpbinary
MD5:C0C19E0640C024991717D7B84F206FF1
SHA256:AF1F3A263B9234907341A7F1714DA5F8FCE805685E41097EAC2A292C0EBCEE43
64002.exeC:\Users\admin\AppData\Local\Temp\is-HNOS8.tmp\2.tmpexecutable
MD5:AAE6067DCCA5C621B199F56E295654CE
SHA256:28DE1CD08957B0630A4E9A21ED9A739CD0C718939525EFB106D0D3ED0491A460
33922.tmpC:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\is-3B0NC.tmpbinary
MD5:5515EE6F136C87EAB65B9D35999C67E9
SHA256:7D91C09221A2625D0743637E8418EB64F2E7390A17F8D7B5D826DB60021216F0
33922.tmpC:\Users\admin\AppData\Roaming\yjytdjrdtydrthjdtjdjrdjDHFDFHDRHFJFTJgssegsef\is-RLQK3.tmpexecutable
MD5:D252746CB65CE766E4160157DF4F2952
SHA256:342BC43B54B5197562657794B83325394BD88C7C33DB241DF199A2748CC4D261
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
70
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
6512
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
420 b
whitelisted
6512
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
ID
binary
734 b
whitelisted
2292
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1352
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2292
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2292
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.3
  • 40.126.32.133
  • 20.190.160.131
  • 40.126.32.134
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info