File name:

INVOICE#92676696.exe

Full analysis: https://app.any.run/tasks/44587e7f-6f3b-4a4d-8187-179587bc4d90
Verdict: Malicious activity
Analysis date: July 24, 2024, 18:05:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

474975EF4357ACCB444831BD44A1BE7E

SHA1:

2D6B68A58B33D516EB54D7BE4E037F055E55C904

SHA256:

CF3FC4B5949539064CAA06600FAF7FFAADFD5CA52DE79C7DDB1A990B3255217A

SSDEEP:

98304:VhNJBgktHnIIfTduqLSqwT2A5DpOftCLmMJmyUc7dQdG40qXQCmX1XjkZxVrfSkO:2d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • INVOICE#92676696.exe (PID: 6604)
      • INVOICE#92676696.exe (PID: 3360)
      • PDf2055124.exe (PID: 6040)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6624)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • INVOICE#92676696.exe (PID: 6604)

    • Creates or modifies Windows services

      • INVOICE#92676696.exe (PID: 3360)

    • Reads security settings of Internet Explorer

      • INVOICE#92676696.exe (PID: 6604)
      • PDf2055124.exe (PID: 6040)

    • Application launched itself

      • INVOICE#92676696.exe (PID: 6604)
      • PDf2055124.exe (PID: 6040)

    • Executes as Windows Service

      • PDf2055124.exe (PID: 6040)

    • Executable content was dropped or overwritten

      • INVOICE#92676696.exe (PID: 3360)
      • PDf2055124.exe (PID: 6040)

    • Creates a software uninstall entry

      • INVOICE#92676696.exe (PID: 3360)
      • PDf2055124.exe (PID: 6040)

    • Uses WMIC.EXE to obtain operating system information

      • PDf2055124.exe (PID: 6040)
      • PDf2055124.exe (PID: 5532)
      • INVOICE#92676696.exe (PID: 6604)

    • Uses WMIC.EXE to obtain computer system information

      • PDf2055124.exe (PID: 6040)

    • Starts POWERSHELL.EXE for commands execution

      • PDf2055124.exe (PID: 6040)

    • The process hides Powershell's copyright startup banner

      • PDf2055124.exe (PID: 6040)

    • The process bypasses the loading of PowerShell profile settings

      • PDf2055124.exe (PID: 6040)

    • Uses WMIC.EXE to obtain system information

      • PDf2055124.exe (PID: 6040)

    • There is functionality for taking screenshot (YARA)

      • PDf2055124.exe (PID: 5532)

    • Creates file in the systems drive root

      • PDf2055124.exe (PID: 6040)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6624)

    • Starts CMD.EXE for commands execution

      • PDf2055124.exe (PID: 6040)

    • Process drops legitimate windows executable

      • PDf2055124.exe (PID: 6040)

  • INFO

    • Checks supported languages

      • INVOICE#92676696.exe (PID: 6604)
      • INVOICE#92676696.exe (PID: 3360)
      • PDf2055124.exe (PID: 6040)
      • PDf2055124.exe (PID: 5532)
      • PDf2055124.exe (PID: 2816)
      • PDf2055124.exe (PID: 6940)

    • Reads the computer name

      • INVOICE#92676696.exe (PID: 3360)
      • PDf2055124.exe (PID: 6040)
      • PDf2055124.exe (PID: 5532)
      • INVOICE#92676696.exe (PID: 6604)

    • Creates files in the program directory

      • PDf2055124.exe (PID: 6040)
      • INVOICE#92676696.exe (PID: 3360)

    • Reads the machine GUID from the registry

      • PDf2055124.exe (PID: 6040)
      • INVOICE#92676696.exe (PID: 6604)
      • PDf2055124.exe (PID: 5532)

    • Process checks computer location settings

      • INVOICE#92676696.exe (PID: 6604)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6700)
      • WMIC.exe (PID: 6592)
      • WMIC.exe (PID: 7040)
      • WMIC.exe (PID: 1552)
      • WMIC.exe (PID: 5692)
      • WMIC.exe (PID: 4992)
      • WMIC.exe (PID: 6640)
      • WMIC.exe (PID: 6640)

    • Manual execution by a user

      • WINWORD.EXE (PID: 6920)
      • PDf2055124.exe (PID: 5532)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2128)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2128)

    • Reads the software policy settings

      • slui.exe (PID: 2464)

    • Checks proxy server information

      • slui.exe (PID: 2464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:08 17:00:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 4264960
InitializedDataSize: 1979392
UninitializedDataSize: -
EntryPoint: 0x37d230
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: PDF Viewer
FileVersion: 2022-Oct-21 22:58:31-0700
LegalCopyright: Apache 2.0 License
ProductName: PDF Viewer
ProductVersion: Commit: 2022-Oct-21 22:58:31-0700
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
42
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start invoice#92676696.exe conhost.exe no specs wmic.exe no specs conhost.exe no specs invoice#92676696.exe conhost.exe no specs pdf2055124.exe winword.exe ai.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs manage-bde.exe no specs rundll32.exe no specs THREAT pdf2055124.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs pdf2055124.exe no specs conhost.exe no specs slui.exe pdf2055124.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePDf2055124.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1048/c manage-bde -protectors -get C: -Type recoverypasswordC:\Windows\System32\cmd.exePDf2055124.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePDf2055124.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePDf2055124.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1552wmic os get oslanguage /FORMAT:LISTC:\Windows\System32\wbem\WMIC.exePDf2055124.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2128powershell -noprofile -nologo -command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePDf2055124.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
Total events
44 819
Read events
44 427
Write events
362
Delete events
30

Modification events

(PID) Process:(6604) INVOICE#92676696.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6604) INVOICE#92676696.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6604) INVOICE#92676696.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6604) INVOICE#92676696.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3360) INVOICE#92676696.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDFViewer™
Operation:writeName:ImagePath
Value:
"C:\Program Files\PDF Viewer™\PDFViewer™\PDf2055124.exe" --meshServiceName="PDFViewer™" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(3360) INVOICE#92676696.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDFViewer™
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(3360) INVOICE#92676696.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDFViewer™
Operation:writeName:DisplayName
Value:
PDF Viewer™
(PID) Process:(3360) INVOICE#92676696.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDFViewer™
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PDF Viewer™\PDFViewer™\PDf2055124.exe
(PID) Process:(3360) INVOICE#92676696.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDFViewer™
Operation:writeName:InstallLocation
Value:
C:\Program Files\PDF Viewer™\PDFViewer™\
(PID) Process:(3360) INVOICE#92676696.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDFViewer™
Operation:writeName:EstimatedSize
Value:
5951
Executable files
2
Suspicious files
24
Text files
20
Unknown types
15

Dropped files

PID
Process
Filename
Type
6920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:DE77084626C9B28D2CC56B8E179BF197
SHA256:8DF4650ABE902E03816AF0A5DA3BCAA919D572AC6F72272CF869A421C9E8CD67
6920WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:60048EB988A65A92326CF9584838C828
SHA256:E8127E75B958D78B41B654CE5B98DE0A9AEDE3608267CB2F49D8355596CC483D
6040PDf2055124.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BF411215A28225EC7531C309D61C909149B5BBD1dbf
MD5:25C0D4274CE9A6AD3F69A1A2B2E5FF71
SHA256:EC1D149DA6589E6B127A9A327F893B4E2D11709FC5371FAE8BACFCD04A70A838
6920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9245F5EF-E0D5-4A68-A6BA-60061D8DE8BCxml
MD5:C381CE189F8749A6F3BB924E21759776
SHA256:F0C112FD48D0F3DBCB1FA23F8AAFA3C71AA72A1B8D777CE5C7950AD58BA4CA0D
6920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:AF24F617C6ECD6FB340384F21E03E91E
SHA256:6F731FD915BD3E34BB28FD8A322798C18B97AB477F8D59947481F0E4AAC11219
6920WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmabr
MD5:02194BC9FAD77096472E45167C972361
SHA256:0442F45EF58CF11B33D83D23DDF9D6FF2206BA46CAC4B21722A4829F835BE0CA
6920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:6794C8FB077D9EE2458DE9C5A185166C
SHA256:625632C95673E2C517694816D3B671C0B0433046F35E87B6727916294F393C30
6920WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\removeanswer.rtf.LNKlnk
MD5:61D4C252A8B255EFB3C9FCE5442416C5
SHA256:311DF1CBC0CBEC5659FE263530824A02C97666B4F953A68B71EFA23C7EDB8286
6920WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9der
MD5:94351CB105884B824E9778D0DDED1C64
SHA256:B67FD799051EC989F549F50EBE37D5EB7A81AD311E0017806D93A138EB4525EF
6920WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:9473B69D600918824DC13A11B7313274
SHA256:6F5339FDD5C4C038CDF7ADF8F03654174DC98E99C2721E5799D43A4751DDDDA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
70
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6228
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6920
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
504
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6920
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3148
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.126.37.160:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3108
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3392
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.208.221.206:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
3992
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5368
SearchApp.exe
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
unknown
5272
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.179
  • 2.23.209.177
  • 2.23.209.185
  • 2.23.209.189
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.71
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
syn.hiddenvnc.com
  • 186.2.171.76
unknown
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted

Threats

No threats detected
Process
Message
INVOICE#92676696.exe
Detected memory leaks!
INVOICE#92676696.exe
Dumping objects ->
INVOICE#92676696.exe
C:\Users\yfjvy\Downloads\MeshAgent-master\microscript\ILibDuktape_ScriptContainer.c(1611) :
INVOICE#92676696.exe
{75763}
INVOICE#92676696.exe
normal block at 0x000001F97BFFE850, 6001 bytes long.
INVOICE#92676696.exe
Data: <9 > 39 17 00 00 00 00 00 00 08 00 00 00 00 00 00 00
INVOICE#92676696.exe
C:\Users\yfjvy\Downloads\MeshAgent-master\microscript\ILibDuktape_ScriptContainer.c(1611) :
INVOICE#92676696.exe
{75625}
INVOICE#92676696.exe
normal block at 0x000001F97BEAD410, 536 bytes long.
INVOICE#92676696.exe
Data: < > E0 01 00 00 00 00 00 00 08 00 00 00 00 00 00 00
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
INVOICE#92676696.exe