File name:

d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe

Full analysis: https://app.any.run/tasks/621d9c3b-db0e-495f-b683-3fe3baccaee0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 11, 2025, 00:26:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
reflection
loader
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

0799756F104A70CB6CE0CFC422DE25DB

SHA1:

CCEC79B6300F8E86C3BEFF86BAC01362F71E7715

SHA256:

D2049157980B7EE0A54948D4DEF4AB62303CA51CADAADA06FB51C583ECBCE1A2

SSDEEP:

98304:f0S48XA1HN4rI1yz6ywKhnp8TsDFwccqVdUor0yR53IMxcBmC6S4Srw0TjcKrtJP:zsY2ubEKZE2p73+nSJ+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • GENERIC has been found (auto)

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6776)
    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6716)
    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6776)
  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • Executable content was dropped or overwritten

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
      • powershell.exe (PID: 6776)
    • The process creates files with name similar to system file names

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
      • powershell.exe (PID: 6776)
    • Starts CMD.EXE for commands execution

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • The process executes Powershell scripts

      • cmd.exe (PID: 6716)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6716)
    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6776)
    • Process drops python dynamic module

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • Creates a software uninstall entry

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • Executes as Windows Service

      • tor.exe (PID: 7148)
    • Connects to unusual port

      • tor.exe (PID: 7148)
    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 2928)
    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 6776)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6776)
    • Process drops legitimate windows executable

      • powershell.exe (PID: 6776)
  • INFO

    • Checks supported languages

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
      • tor.exe (PID: 7116)
      • tor.exe (PID: 7148)
      • ssh-keygen.exe (PID: 6156)
      • ArmyPlus.exe (PID: 7060)
      • DismHost.exe (PID: 2928)
      • ArmyPlus.exe (PID: 6456)
    • Reads the computer name

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
      • tor.exe (PID: 7116)
      • ArmyPlus.exe (PID: 7060)
      • tor.exe (PID: 7148)
      • DismHost.exe (PID: 2928)
    • Create files in a temporary directory

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • The sample compiled with english language support

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
      • powershell.exe (PID: 6776)
    • Creates files in the program directory

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
      • powershell.exe (PID: 6776)
      • ssh-keygen.exe (PID: 6156)
      • tor.exe (PID: 7148)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6776)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6776)
    • Creates files or folders in the user directory

      • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe (PID: 6668)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6776)
    • Reads the machine GUID from the registry

      • tor.exe (PID: 7116)
      • tor.exe (PID: 7148)
      • ArmyPlus.exe (PID: 7060)
      • ArmyPlus.exe (PID: 6456)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6776)
    • Sends debugging messages

      • powershell.exe (PID: 6776)
    • The executable file from the user directory is run by the Powershell process

      • DismHost.exe (PID: 2928)
    • The process uses the downloaded file

      • powershell.exe (PID: 6776)
    • Reads Environment values

      • DismHost.exe (PID: 2928)
    • Manual execution by a user

      • ArmyPlus.exe (PID: 6456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x352d
UninitializedDataSize: 2048
InitializedDataSize: 186880
CodeSize: 27136
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2021:09:25 21:57:46+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe no specs d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe cmd.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs armyplus.exe no specs tor.exe no specs tor.exe ssh-keygen.exe no specs dismhost.exe no specs tiworker.exe no specs armyplus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6508"C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe" C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6668"C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe" C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6716cmd /c start /min powershell -windowstyle hidden -ExecutionPolicy Bypass .\init.ps1C:\Windows\System32\cmd.exed2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6776powershell -windowstyle hidden -ExecutionPolicy Bypass .\init.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7060"C:\Program Files (x86)\ArmyPlus\ArmyPlus.exe"C:\Program Files (x86)\ArmyPlus\ArmyPlus.exed2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe
User:
admin
Integrity Level:
HIGH
Description:
ArmyPlus
Exit code:
0
Version:
0.9.6.0
Modules
Images
c:\program files (x86)\armyplus\armyplus.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7116"C:\ProgramData\OneDriveData\Tor\tor.exe" --service install -options -f C:\ProgramData\OneDriveData\Data\Tor\conf C:\ProgramData\OneDriveData\Tor\tor.exepowershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\onedrivedata\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7148"C:\ProgramData\OneDriveData\Tor\tor.exe" --nt-service "-f" "C:\ProgramData\OneDriveData\Data\Tor\conf"C:\ProgramData\OneDriveData\Tor\tor.exe
services.exe
User:
LOCAL SERVICE
Integrity Level:
SYSTEM
Modules
Images
c:\programdata\onedrivedata\tor\tor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6156"C:\WINDOWS\System32\OpenSSH\ssh-keygen.exe" -b 2048 -t rsa -f defaultssh -q -N ""C:\Windows\System32\OpenSSH\ssh-keygen.exepowershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
8.1.0.1
Modules
Images
c:\windows\system32\openssh\ssh-keygen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
9 487
Read events
9 454
Write events
28
Delete events
5

Modification events

(PID) Process:(6668) d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ArmyPlus
Operation:writeName:DisplayName
Value:
ArmyPlus
(PID) Process:(6668) d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ArmyPlus
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\ArmyPlus\uninstall.exe
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31155135
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:DoqTime
Value:
0
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:DoqCount
Value:
0
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:PoqTime
Value:
0
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:PoqCount
Value:
0
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:RptTime
Value:
0
(PID) Process:(3224) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:RptCount
Value:
0
Executable files
100
Suspicious files
15
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
6776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_azcq4j2d.zdf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6668d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeC:\Program Files (x86)\ArmyPlus\ArmyPlus.exeexecutable
MD5:A2F355057ADE20D32AFC5C4192CE3986
SHA256:B663E08CC267CDB7A02D5131CB04B8B05CB6AD13AC1D571C6AAFE69E06BF8F80
6668d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeC:\Program Files (x86)\ArmyPlus\guid.txttext
MD5:ED0C7C1925AC23BD8B4D09E77AABB0EE
SHA256:8BA4C3EDE1ED05A3AD7075FEE503215648EC078A13523492E2E91A59FA40C8DA
6776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF136370.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6668d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeC:\Users\admin\AppData\Local\Temp\nso5FF7.tmp\modern-wizard.bmpimage
MD5:3D8B4E018E8A1FB5EBC07DD31A4E2C82
SHA256:7A391C5C367DED68E6078C908261B9AB817FFA3B052DBE618227D3FEE71D4D8A
6668d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeC:\Program Files (x86)\ArmyPlus\init.ps1text
MD5:52853B39922251A4166A5B032E577E7A
SHA256:86039BC8B1A6BB823F5CBF27D1A4A3B319B83D242F09FFCD96F38BBDBBAAA78F
6776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1drbszgt.sfo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C46BBEF559F8E1C9BC3EBDE423B1209A
SHA256:B92AFF01E65536EF93FA572DBF4315C07551F81D0B39C49202153BBEF0EEC749
6668d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeC:\Program Files (x86)\ArmyPlus\tor-win32-0.4.7.11.zipcompressed
MD5:53E566693EDAD254C72EBDE361F0E6B0
SHA256:C9494749F02493BF3D53C849F9672FDA5426F90B1C34D81237A0BC24C0C6993A
6668d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exeC:\Program Files (x86)\ArmyPlus\DLLs\_ctypes.pydexecutable
MD5:92276F41FF9C856F4DBFA6508614E96C
SHA256:9AB1F8CBB50DB3D9A00F74447A2275A89EC52D1139FC0A93010E59C412C2C850
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
38
DNS requests
17
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1704
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3040
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1704
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
716
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.139
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.105.99.58
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 850
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 822
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 822
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 850
Process
Message
powershell.exe
PID=6776 TID=6916 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=6776 TID=6916 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
powershell.exe
PID=6776 TID=6916 Lookup in table by path failed for: DummyPath-2BA51B78-C7F7-4910-B99D-BB7345357CDC - CTransactionalImageTable::LookupImagePath
powershell.exe
PID=6776 TID=6916 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=6776 TID=6916 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
powershell.exe
PID=6776 TID=6916 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
powershell.exe
PID=6776 TID=6916 DismApi.dll: Parent process command line: powershell -windowstyle hidden -ExecutionPolicy Bypass .\init.ps1 - DismInitializeInternal
powershell.exe
PID=6776 TID=6916 Waiting for m_pInternalThread to start - CCommandThread::Start
powershell.exe
PID=6776 TID=6916 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
powershell.exe
PID=6776 TID=3060 Enter CCommandThread::CommandThreadProcedureStub - CCommandThread::CommandThreadProcedureStub