File name:

IDM_6.4x_Crack_v20.2.exe

Full analysis: https://app.any.run/tasks/399ac21e-f303-4ece-85b4-5d44c5db63e6
Verdict: Malicious activity
Analysis date: August 01, 2025, 02:19:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

689F245046CA30CE27203DE3EDEC8327

SHA1:

C03DCA393288C88ABDB9EF48B52CD92FC28B9F2C

SHA256:

D80B7BD24276190D25B7FEE3A09530C5A9736306DA83842D37A4D52D92BBA897

SSDEEP:

1536:1e+j44X5OjRutV4N8YLekTVrfg1JlCI0ZeKZMvrOAV:1e+04XNtVZi5fyJlL0ZfGDOAV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Changes powershell execution policy (Bypass)

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3112)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3112)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 3112)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • The process bypasses the loading of PowerShell profile settings

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • The process hides Powershell's copyright startup banner

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Starts POWERSHELL.EXE for commands execution

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)
      • cmd.exe (PID: 5244)
      • cmd.exe (PID: 3000)
      • cmd.exe (PID: 5744)

    • Creates a directory (POWERSHELL)

      • powershell.exe (PID: 3112)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 3112)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 3112)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3112)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5708)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 5708)

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)
      • cmd.exe (PID: 4580)
      • cmd.exe (PID: 5244)

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)
      • cmd.exe (PID: 5244)
      • cmd.exe (PID: 2112)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)
      • cmd.exe (PID: 5244)

    • Application launched itself

      • cmd.exe (PID: 4580)
      • cmd.exe (PID: 5244)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5244)
      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 5244)

    • Hides command output

      • cmd.exe (PID: 5744)
      • cmd.exe (PID: 2112)

    • Reads security settings of Internet Explorer

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5244)

  • INFO

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)
      • csc.exe (PID: 5708)
      • cvtres.exe (PID: 1036)
      • reg.exe (PID: 2716)

    • Checks supported languages

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)
      • csc.exe (PID: 5708)
      • cvtres.exe (PID: 1036)
      • chcp.com (PID: 5876)

    • Reads the computer name

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Creates files or folders in the user directory

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Process checks computer location settings

      • IDM_6.4x_Crack_v20.2.exe (PID: 4648)

    • Disables trace logs

      • powershell.exe (PID: 3112)

    • Checks proxy server information

      • powershell.exe (PID: 3112)
      • wscript.exe (PID: 5716)
      • wscript.exe (PID: 5188)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5708)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3112)

    • Reads mouse settings

      • powershell.exe (PID: 3112)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3112)

    • Checks operating system version

      • cmd.exe (PID: 5244)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3628)
      • powershell.exe (PID: 6656)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 61440
InitializedDataSize: 8192
UninitializedDataSize: 188416
EntryPoint: 0x3d220
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
63
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start idm_6.4x_crack_v20.2.exe wscript.exe powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs tiworker.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs wscript.exe chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs slui.exe no specs svchost.exe idm_6.4x_crack_v20.2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684reg query HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software\Classes\Wow6432Node\CLSID\IAS_TEST C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
828C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB50.tmp" "c:\Users\admin\AppData\Local\Temp\f2wiej4x\CSC9EF56DADFAD43D685466410B4F58A3E.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1040reg query "HKCU\Software\DownloadManager" "/v" "Serial" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1132find /i "C:\Users\admin\AppData\Local\Temp" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1212reg query HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1560C:\WINDOWS\system32\cmd.exe /S /D /c" echo "C:\Users\admin\AppData\Local\Temp\BATCLEN.bat" "C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1632reg add HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software\Classes\Wow6432Node\CLSID\IAS_TESTC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1808C:\WINDOWS\system32\cmd.exe /S /D /c" echo prompt $E "C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1852find /i "computersystem" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
Total events
42 550
Read events
42 489
Write events
46
Delete events
15

Modification events

(PID) Process:(5716) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5716) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5716) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
0
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableCMD
Value:
0
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
0
(PID) Process:(4648) IDM_6.4x_Crack_v20.2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
0
Executable files
1
Suspicious files
6
Text files
29
Unknown types
4

Dropped files

PID
Process
Filename
Type
5716wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\ZHGXMTF4.xmltext
MD5:4578E6452BA4B6DB8F26638BEF27CD85
SHA256:6F03D6B5FC6A2CA8F3B8683848C0F16A14ABF316156AECD7606D047A651CD3F6
5716wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8der
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
4648IDM_6.4x_Crack_v20.2.exeC:\Users\admin\AppData\Local\Temp\IDM_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
3112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:910064FB755AF93275E1851EDB9D432D
SHA256:4115FE9462AF1F0FBC8558D31E98D7CD1E25CF15BA4806A414440C5B03E4F819
5716wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:3B3C98A8C62FD313D25D9942A143A9F4
SHA256:EA5E075FC009831A072D2CE85321E39C26FDDF06D0D673F5540546D92A719239
3112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JGKF6CEEG1JV4667PPAL.tempbinary
MD5:910064FB755AF93275E1851EDB9D432D
SHA256:4115FE9462AF1F0FBC8558D31E98D7CD1E25CF15BA4806A414440C5B03E4F819
3112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yoyvet54.ti2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5708csc.exeC:\Users\admin\AppData\Local\Temp\f2wiej4x\f2wiej4x.dllexecutable
MD5:72DC3030472482F13AADC148D9C94CF0
SHA256:7D57176C7BB5F22431D3C4635BFE6D03190C744C2131EE919181B71075ADEC7C
4648IDM_6.4x_Crack_v20.2.exeC:\Users\admin\AppData\Roaming\WinRAR\rarreg.keytext
MD5:CC72935D4E4BD54DB0ED6BF4701FDC9E
SHA256:2ABE74BB821BA46762AFDB23EAC95454EC7155D5379E3CD56385D900C34CB1BF
3112powershell.exeC:\Users\admin\AppData\Local\Temp\f2wiej4x\f2wiej4x.cmdlinetext
MD5:C45ACA8D418892709D547BB5D7497162
SHA256:EA7BC13182FAE5234F610BB7EE309DC4231A5F2D1F65A3BA98E3577AE38F201B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5716
wscript.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6356
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6356
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5716
wscript.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6216
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5716
wscript.exe
188.114.96.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown
5716
wscript.exe
142.250.185.163:80
c.pki.goog
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6216
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6216
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown
c.pki.goog
  • 142.250.185.163
whitelisted
login.live.com
  • 20.190.160.3
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.67
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
christitus.com
  • 104.26.3.223
  • 104.26.2.223
  • 172.67.70.188
malicious
github.com
  • 140.82.121.4
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_Crack_v20.2.exe