File name:

cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe

Full analysis: https://app.any.run/tasks/fdc013a2-a1ab-44c4-82d4-77e042558c5d
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: March 05, 2026, 03:49:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
tofsee
hijackloader
loader
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

0F3ED0AAC5872BAE70883214D93A4FA0

SHA1:

834E05A9CB95ED0B135BD1F8A31B40A44C3EA0A7

SHA256:

CEFC8719F20F3FE626BB1B1FF1E16655561DDC0D1E1D2F0A8D54A9752A1419C4

SSDEEP:

98304:1rq3BdwpcPzv6Y//teZpwZsN5rDMT+sehfoV6b8EkFniSmzv9LOiprZ8Gd3JWYSP:n9tb1ta1D5cMH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe (PID: 2340)
      • Adobe QT32 Server.exe (PID: 7420)
      • Adobe QT32 Server.exe (PID: 3952)
      • servicebrowserv5.exe (PID: 2428)

    • TOFSEE has been found (auto)

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe (PID: 2340)

    • HIJACKLOADER has been detected (YARA)

      • cmd.exe (PID: 7272)
      • servicebrowserv5.exe (PID: 2428)

    • TOFSEE has been detected (YARA)

      • servicebrowserv5.exe (PID: 2428)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)

    • The process creates files with name similar to system file names

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 7420)

    • Executable content was dropped or overwritten

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe (PID: 2340)
      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 7420)
      • cmd.exe (PID: 7272)

    • The process drops C-runtime libraries

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 7420)

    • Starts itself from another location

      • Adobe QT32 Server.exe (PID: 7420)

    • Starts CMD.EXE for commands execution

      • Adobe QT32 Server.exe (PID: 3952)

    • The executable file from the user directory is run by the CMD process

      • servicebrowserv5.exe (PID: 2428)

    • Connects to SMTP port

      • servicebrowserv5.exe (PID: 2428)

    • Detects AdvancedInstaller (YARA)

      • servicebrowserv5.exe (PID: 2428)

  • INFO

    • Checks supported languages

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe (PID: 2340)
      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 7420)
      • Adobe QT32 Server.exe (PID: 3952)
      • servicebrowserv5.exe (PID: 2428)

    • Create files in a temporary directory

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe (PID: 2340)
      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 3952)

    • Reads the computer name

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 7420)
      • Adobe QT32 Server.exe (PID: 3952)
      • servicebrowserv5.exe (PID: 2428)

    • The sample compiled with english language support

      • cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp (PID: 1044)
      • Adobe QT32 Server.exe (PID: 7420)
      • cmd.exe (PID: 7272)

    • Creates files or folders in the user directory

      • Adobe QT32 Server.exe (PID: 7420)

    • There is functionality for taking screenshot (YARA)

      • servicebrowserv5.exe (PID: 2428)

    • Checks proxy server information

      • slui.exe (PID: 1956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Tofsee

(PID) Process(2428) servicebrowserv5.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Holt Setup
FileVersion: 2.0.0.0
LegalCopyright:
OriginalFileName:
ProductName: Holt
ProductVersion: 4.6
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp adobe qt32 server.exe adobe qt32 server.exe no specs #HIJACKLOADER cmd.exe conhost.exe no specs #HIJACKLOADER servicebrowserv5.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Users\admin\AppData\Local\Temp\is-14NF8.tmp\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp" /SL5="$903AE,7068991,845824,C:\Users\admin\Desktop\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe" C:\Users\admin\AppData\Local\Temp\is-14NF8.tmp\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp
cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-14nf8.tmp\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1956C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2340"C:\Users\admin\Desktop\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe" C:\Users\admin\Desktop\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Holt Setup
Exit code:
1
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2428C:\Users\admin\AppData\Local\Temp\servicebrowserv5.exeC:\Users\admin\AppData\Local\Temp\servicebrowserv5.exe
cmd.exe
User:
admin
Company:
Caphyon
Integrity Level:
MEDIUM
Description:
updater 18.0
Version:
18.0
Modules
Images
c:\users\admin\appdata\local\temp\hkhorsecpjgea
c:\users\admin\appdata\local\temp\servicebrowserv5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Tofsee
(PID) Process(2428) servicebrowserv5.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
3952"C:\Users\admin\AppData\Roaming\controlupdateFe\Adobe QT32 Server.exe"C:\Users\admin\AppData\Roaming\controlupdateFe\Adobe QT32 Server.exeAdobe QT32 Server.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Media Core.0
Exit code:
1
Version:
8.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\controlupdatefe\adobe qt32 server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7272C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
Adobe QT32 Server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7420"C:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\Adobe QT32 Server.exe"C:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\Adobe QT32 Server.exe
cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmp
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Media Core.0
Exit code:
0
Version:
8.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ej6n5.tmp\adobe qt32 server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 316
Read events
4 316
Write events
0
Delete events
0

Modification events

No data
Executable files
47
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2340cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exeC:\Users\admin\AppData\Local\Temp\is-14NF8.tmp\cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpexecutable
MD5:07C7C2FDE792EB5E1CCA2B470F54B989
SHA256:B88972F6EF8B8BD3ED59988E612AF24F0A9F4062340DAD34B4C71F1BC66090A4
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\boost_date_time.dllexecutable
MD5:E4862728552671212C86B50470710BEB
SHA256:83A6FF307C32692F8775302315295E6A814701D5A617621C25B935CF9660D50F
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\Adobe QT32 Server.exeexecutable
MD5:A5EE3594A2A4697E0D71A1C3E622BD1F
SHA256:FBEB72331182532C5FD95078450DF53B08A0FD405E3AAED3DEA7265F8466F2EC
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\boost_threads.dllexecutable
MD5:44D1D2711F5FF5C0D5A566BEEED1FBE2
SHA256:882F809095A5A2B8BE3C5A26D5882632D99B0622DB904DCA3FFCB48FD093D91C
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\boost_system.dllexecutable
MD5:CEF0081A028FDA210C1AD6417865CC95
SHA256:4F3A1C28B3A15E6FBB3EA635B2C43FEA7DE4A797543B5CF2142FE6B0240F2C5F
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\ASLFoundation.dllexecutable
MD5:87092962B52CDBA210625D0496579956
SHA256:61209252CA938A4E11CB665A2C2E8D258484433A620DD3F9200A224AAF59618B
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\ASLUnitTesting.dllexecutable
MD5:1D03D84016D622F18C1A9CCAC5E5B2A2
SHA256:E486BF68D27EFC72DE8DD43DC16297068B733AB83B8925A43854523DCE0EBEA9
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\ASLMessaging.dllexecutable
MD5:0DAF9BB267ADA3C73831C64468F0B2E5
SHA256:71C3E619E42F1BB56B879334358247C9BB24219E0A3CA12203CE720B765CC12F
1044cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.tmpC:\Users\admin\AppData\Local\Temp\is-EJ6N5.tmp\dvamediatypes.dllexecutable
MD5:0641560E5ECD1702AA259AC8C48577E1
SHA256:3FAA936558703316EDBFB0D57D697F0ED160149B1417F4D5D02D9EF3576FF779
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
34
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5780
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5780
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6084
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
binary
512 b
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
binary
512 b
whitelisted
3292
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
3292
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
184.86.251.27:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5780
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5780
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 13.69.239.79
  • 20.189.173.24
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.22
whitelisted
google.com
  • 142.251.141.142
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 72.246.29.11
whitelisted
microsoft.com
  • 13.107.213.45
  • 13.107.246.45
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.194.4
  • 52.101.50.13
  • 52.101.41.56
  • 52.101.41.0
whitelisted
vanaheim.cn
  • 185.218.0.137
malicious
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cefc8719f20f3fe626bb1b1ff1e16655561ddc0d1e1d2f0a8d54a9752a1419c4.exe