File name:

svchost.exe

Full analysis: https://app.any.run/tasks/0051d606-a24f-439f-873b-65513cb30375
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 11, 2025, 06:40:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
evasion
xworm
ims-api
generic
crypto-regex
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

0C1C7B442CB46C727F133BD699B562A7

SHA1:

112E1D44251D3A0E98E559E938D2984E4CDF270A

SHA256:

D53047C7EF48D1DC57BF6D7100937EDDE63AFE47ADAE1B51E1BA942338F529B8

SSDEEP:

12288:zjAhVjmT3Y4q3uzC2v3isUf0CnUnSU6DR5qv:3Ah1CqezCK3isUf0CnUni7qv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • svchost.exe (PID: 4688)

    • Uses Task Scheduler to run other applications

      • svchost.exe (PID: 4688)

    • Create files in the Startup directory

      • svchost.exe (PID: 4688)

    • XWORM has been detected

      • svchost.exe (PID: 4688)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • svchost.exe (PID: 4688)

    • Starts a Microsoft application from unusual location

      • svchost.exe (PID: 4688)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 4688)

    • The process creates files with name similar to system file names

      • svchost.exe (PID: 4688)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 4688)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 4688)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • svchost.exe (PID: 4688)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • svchost.exe (PID: 4688)

    • Found regular expressions for crypto-addresses (YARA)

      • svchost.exe (PID: 4688)

    • The process executes via Task Scheduler

      • svchost.exe (PID: 4696)
      • svchost.exe (PID: 5392)
      • svchost.exe (PID: 1116)
      • svchost.exe (PID: 6676)
      • svchost.exe (PID: 4892)

    • Connects to unusual port

      • svchost.exe (PID: 4688)

  • INFO

    • Reads the computer name

      • svchost.exe (PID: 4688)
      • svchost.exe (PID: 4696)
      • svchost.exe (PID: 5392)
      • svchost.exe (PID: 1116)
      • svchost.exe (PID: 6676)
      • svchost.exe (PID: 4892)

    • Checks supported languages

      • svchost.exe (PID: 4688)
      • svchost.exe (PID: 4696)
      • svchost.exe (PID: 5392)
      • svchost.exe (PID: 1116)
      • svchost.exe (PID: 6676)
      • svchost.exe (PID: 4892)

    • Reads the machine GUID from the registry

      • svchost.exe (PID: 4688)
      • svchost.exe (PID: 4696)
      • svchost.exe (PID: 5392)
      • svchost.exe (PID: 1116)
      • svchost.exe (PID: 6676)
      • svchost.exe (PID: 4892)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 4688)

    • Process checks computer location settings

      • svchost.exe (PID: 4688)

    • Disables trace logs

      • svchost.exe (PID: 4688)

    • Reads the software policy settings

      • svchost.exe (PID: 4688)
      • slui.exe (PID: 6272)
      • slui.exe (PID: 5436)

    • Checks proxy server information

      • svchost.exe (PID: 4688)
      • slui.exe (PID: 5436)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 4688)

    • .NET Reactor protector has been detected

      • svchost.exe (PID: 4688)

    • Create files in a temporary directory

      • svchost.exe (PID: 4688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4688) svchost.exe
Telegram-Tokens (1)7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
Telegram-Info-Links
7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
Get info about bothttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/getMe
Get incoming updateshttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/getUpdates
Get webhookhttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
End-PointsendMessage
Args
chat_id (1)7708816962
text (1)[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy Timestamp : 2025-05-11 06:40:52 User : admin OS
Token7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
End-PointsendMessage
Args
chat_id (1)7708816962
text (1)[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy Timestamp : 2025-05-11 06:40:52 User : admin OS : Microsoft Windows 10 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM :
Token7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
End-PointsendMessage
Args
chat_id (1)7708816962
text (1)[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy%
Telegram-Responses
oktrue
result
message_id13459
from
id7615347418
is_bottrue
first_nameNJHGXZINMB
usernameNJHGXZINMB_Bot
chat
id7708816962
first_namemoonfall
typeprivate
date1746945655
text[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy Timestamp : 2025-05-11 06:40:52 User : admin OS : Microsoft Windows 10 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM : 3.99 GB Group : Power...
entities
offset83
length12
typeurl
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 258560
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 10.0.26100.1150
ProductVersionNumber: 10.0.26100.1150
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Host Process for Windows Services
FileVersion: 10.0.26100.1150
InternalName: svchost.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: svchost.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.26100.1150
AssemblyVersion: 10.0.26100.1150
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM svchost.exe sppextcomobj.exe no specs slui.exe schtasks.exe no specs conhost.exe no specs svchost.exe svchost.exe no specs slui.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1116"C:\Users\admin\AppData\Roaming\svchost.exe"C:\Users\admin\AppData\Roaming\svchost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.26100.1150
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3676C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4688"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.26100.1150
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
ims-api
(PID) Process(4688) svchost.exe
Telegram-Tokens (1)7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
Telegram-Info-Links
7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
Get info about bothttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/getMe
Get incoming updateshttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/getUpdates
Get webhookhttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
End-PointsendMessage
Args
chat_id (1)7708816962
text (1)[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy Timestamp : 2025-05-11 06:40:52 User : admin OS
Token7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
End-PointsendMessage
Args
chat_id (1)7708816962
text (1)[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy Timestamp : 2025-05-11 06:40:52 User : admin OS : Microsoft Windows 10 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM :
Token7615347418:AAGwYIbIydKd8mtjX5Zh9LSHRpTKoSP00XU
End-PointsendMessage
Args
chat_id (1)7708816962
text (1)[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy%
Telegram-Responses
oktrue
result
message_id13459
from
id7615347418
is_bottrue
first_nameNJHGXZINMB
usernameNJHGXZINMB_Bot
chat
id7708816962
first_namemoonfall
typeprivate
date1746945655
text[ Necrus Next-Gen ] New Report : Hardware ID : 3C54740F7CC0F23B53E5 IP Address : 141.11.36.24 Country : Italy Timestamp : 2025-05-11 06:40:52 User : admin OS : Microsoft Windows 10 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM : 3.99 GB Group : Power...
entities
offset83
length12
typeurl
4696"C:\Users\admin\AppData\Roaming\svchost.exe"C:\Users\admin\AppData\Roaming\svchost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.26100.1150
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4892"C:\Users\admin\AppData\Roaming\svchost.exe"C:\Users\admin\AppData\Roaming\svchost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.26100.1150
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
5392"C:\Users\admin\AppData\Roaming\svchost.exe"C:\Users\admin\AppData\Roaming\svchost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.26100.1150
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
5436C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6272"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 054
Read events
3 039
Write events
15
Delete events
0

Modification events

(PID) Process:(4688) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost
Value:
C:\Users\admin\AppData\Roaming\svchost.exe
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4688) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4688svchost.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:0C1C7B442CB46C727F133BD699B562A7
SHA256:D53047C7EF48D1DC57BF6D7100937EDDE63AFE47ADAE1B51E1BA942338F529B8
4688svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkbinary
MD5:837A290BEB2BD194B48B0A7BAC2812B2
SHA256:2397E31DEF6C32CF60869F5CFEB38396AFFC0D1D8837D62FB6D44536BBFE9EFC
4688svchost.exeC:\Users\admin\AppData\Local\Temp\Log.tmptext
MD5:0757D4A4013DB7E2EA50BB665463E458
SHA256:C084274BC447236FCC1A6981C490F61308EC92A5882946BA507B9717428BF5AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
38
DNS requests
23
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6264
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6264
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4688
svchost.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
shared
4688
svchost.exe
104.26.9.44:443
ipapi.co
CLOUDFLARENET
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
ipapi.co
  • 104.26.9.44
  • 172.67.69.226
  • 104.26.8.44
shared
api.telegram.org
  • 149.154.167.220
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.128
  • 20.190.159.4
  • 40.126.31.131
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4688
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4688
svchost.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4688
svchost.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svchost.exe