File name:

loader.exe

Full analysis: https://app.any.run/tasks/f24798a2-d972-45c6-a97d-cc8e98c34dba
Verdict: Malicious activity
Analysis date: July 04, 2025, 21:43:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

20EA51573F9DD3778B719C93A2227803

SHA1:

92E35BF9C952ECD36AC391760A1BEA171846AD1F

SHA256:

DF0B77C98C2C3E55DAF48052D276AE65258EFBAA4689F960701198DD7CEE29CF

SSDEEP:

384:Zapc0TO7KngI095jiIsjdipBJLwEBkloDoQV:EK0/D0nmEpBlwkkl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • svchost.exe (PID: 5048)
      • RuntimeBroker.exe (PID: 5224)
      • StartMenuExperienceHost.exe (PID: 5160)
      • SearchApp.exe (PID: 5328)
      • RuntimeBroker.exe (PID: 5448)
      • dllhost.exe (PID: 5604)
      • ApplicationFrameHost.exe (PID: 5096)
      • TextInputHost.exe (PID: 2772)
      • RuntimeBroker.exe (PID: 4376)
      • UserOOBEBroker.exe (PID: 5936)
      • ctfmon.exe (PID: 4468)
      • sihost.exe (PID: 4180)
      • svchost.exe (PID: 4204)
      • explorer.exe (PID: 4772)
      • svchost.exe (PID: 4248)
      • svchost.exe (PID: 464)
      • winlogon.exe (PID: 672)
      • svchost.exe (PID: 880)
      • dwm.exe (PID: 776)
      • svchost.exe (PID: 1072)
      • lsass.exe (PID: 764)
      • svchost.exe (PID: 1452)
      • fontdrvhost.exe (PID: 908)
      • fontdrvhost.exe (PID: 916)
      • svchost.exe (PID: 1000)
      • svchost.exe (PID: 1304)
      • svchost.exe (PID: 6984)
      • dllhost.exe (PID: 2484)
      • RuntimeBroker.exe (PID: 5436)
      • default-browser-agent.exe (PID: 4040)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1312)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1912)
      • svchost.exe (PID: 1360)
      • svchost.exe (PID: 1548)
      • svchost.exe (PID: 1120)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 2200)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 1952)
      • svchost.exe (PID: 1996)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 3276)
      • spoolsv.exe (PID: 2560)
      • svchost.exe (PID: 2436)
      • svchost.exe (PID: 2100)
      • svchost.exe (PID: 2928)
      • svchost.exe (PID: 2956)
      • OfficeClickToRun.exe (PID: 2920)
      • svchost.exe (PID: 2912)
      • svchost.exe (PID: 2940)
      • svchost.exe (PID: 2568)
      • svchost.exe (PID: 2784)
      • svchost.exe (PID: 2868)
      • svchost.exe (PID: 2336)
      • svchost.exe (PID: 3612)
      • svchost.exe (PID: 3036)
      • svchost.exe (PID: 3064)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 2412)
      • svchost.exe (PID: 2252)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 2752)
      • svchost.exe (PID: 3076)
      • dasHost.exe (PID: 4048)
      • svchost.exe (PID: 4140)
      • svchost.exe (PID: 1084)
      • svchost.exe (PID: 3968)
      • svchost.exe (PID: 4424)
      • svchost.exe (PID: 4392)
      • svchost.exe (PID: 4668)
      • svchost.exe (PID: 428)
      • svchost.exe (PID: 3692)
      • svchost.exe (PID: 368)
      • svchost.exe (PID: 4632)
      • svchost.exe (PID: 6884)
      • svchost.exe (PID: 4448)
      • svchost.exe (PID: 5540)
      • svchost.exe (PID: 6024)
      • uhssvc.exe (PID: 6844)
      • MoUsoCoreWorker.exe (PID: 5944)
      • svchost.exe (PID: 3080)
      • dllhost.exe (PID: 1676)
      • svchost.exe (PID: 6708)
      • WaaSMedicAgent.exe (PID: 7864)
      • RUXIMICS.exe (PID: 1964)
      • svchost.exe (PID: 1688)
      • svchost.exe (PID: 3652)
      • slui.exe (PID: 2848)
      • UsoClient.exe (PID: 1512)
      • slui.exe (PID: 5460)
      • MusNotification.exe (PID: 1936)
      • taskhostw.exe (PID: 620)
      • svchost.exe (PID: 4080)
      • svchost.exe (PID: 5500)
      • svchost.exe (PID: 2592)
      • svchost.exe (PID: 4260)
      • audiodg.exe (PID: 2304)
      • PLUGScheduler.exe (PID: 5920)
      • SppExtComObj.Exe (PID: 6612)
      • slui.exe (PID: 1700)
      • slui.exe (PID: 4960)
      • WmiPrvSE.exe (PID: 12220)
      • conhost.exe (PID: 7872)

    • Runs injected code in another process

      • winupd.exe (PID: 4088)
      • Taskmgr.exe (PID: 8064)
      • slui.exe (PID: 5720)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • loader.exe (PID: 1208)

    • Executable content was dropped or overwritten

      • loader.exe (PID: 1208)

    • Reads the date of Windows installation

      • loader.exe (PID: 1208)

    • Starts itself from another location

      • loader.exe (PID: 1208)

  • INFO

    • Reads the computer name

      • loader.exe (PID: 1208)
      • winupd.exe (PID: 4088)
      • PLUGScheduler.exe (PID: 5920)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • Taskmgr.exe (PID: 8064)
      • WmiPrvSE.exe (PID: 12220)

    • Checks proxy server information

      • loader.exe (PID: 1208)
      • slui.exe (PID: 1700)
      • WmiPrvSE.exe (PID: 12220)

    • Creates files or folders in the user directory

      • loader.exe (PID: 1208)

    • Reads the software policy settings

      • loader.exe (PID: 1208)
      • lsass.exe (PID: 764)
      • WaaSMedicAgent.exe (PID: 7864)
      • WmiPrvSE.exe (PID: 12220)
      • slui.exe (PID: 1700)

    • Create files in a temporary directory

      • loader.exe (PID: 1208)

    • Reads the machine GUID from the registry

      • loader.exe (PID: 1208)

    • Process checks computer location settings

      • loader.exe (PID: 1208)

    • Checks supported languages

      • loader.exe (PID: 1208)
      • winupd.exe (PID: 4088)

    • Manual execution by a user

      • Taskmgr.exe (PID: 8016)
      • Taskmgr.exe (PID: 8064)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 12220)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2920)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:04 21:29:42+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 9216
InitializedDataSize: 11264
UninitializedDataSize: -
EntryPoint: 0x226c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
116
Malicious processes
27
Suspicious processes
85

Behavior graph

Click at the process to see the details
start loader.exe winupd.exe no specs waasmedicagent.exe conhost.exe taskmgr.exe no specs taskmgr.exe wmiprvse.exe slui.exe no specs svchost.exe svchost.exe svchost.exe taskhostw.exe winlogon.exe lsass.exe dwm.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe usoclient.exe svchost.exe dllhost.exe svchost.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe musnotification.exe svchost.exe ruximics.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe textinputhost.exe svchost.exe slui.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe loader.exe no specs default-browser-agent.exe dashost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe slui.exe svchost.exe applicationframehost.exe startmenuexperiencehost.exe runtimebroker.exe searchapp.exe runtimebroker.exe runtimebroker.exe slui.exe svchost.exe svchost.exe dllhost.exe plugscheduler.exe useroobebroker.exe mousocoreworker.exe svchost.exe sppextcomobj.exe svchost.exe uhssvc.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
368C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s AppinfoC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
428C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWksC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
464C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
620taskhostw.exe NoneC:\Windows\System32\taskhostw.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
672winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
764C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776"dwm.exe"C:\Windows\System32\dwm.exe
winlogon.exe
User:
DWM-1
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Desktop Window Manager
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
880C:\WINDOWS\system32\svchost.exe -k DcomLaunch -pC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\msvcrt.dll
908"fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe
wininit.exe
User:
UMFD-0
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Usermode Font Driver Host
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fontdrvhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
916"fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe
winlogon.exe
User:
UMFD-1
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Usermode Font Driver Host
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fontdrvhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
Total events
39 481
Read events
38 744
Write events
464
Delete events
273

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000007ED94EAB01020000
(PID) Process:(1208) loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1208) loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1208) loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4632) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\AppData\Local\Temp\loader.exe
Value:
5341435001000000000000000700000028000000004E00000000000001000000000000000000000A7322000050BB64EDDDACD5010000000000000000
(PID) Process:(4632) svchost.exeKey:\REGISTRY\A\{cd5fe01f-d190-e11c-eca9-171e7b03ecf7}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(4632) svchost.exeKey:\REGISTRY\A\{cd5fe01f-d190-e11c-eca9-171e7b03ecf7}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(4632) svchost.exeKey:\REGISTRY\A\{cd5fe01f-d190-e11c-eca9-171e7b03ecf7}\Root\InventoryApplicationFile\loader.exe|ea6e4fcf97a56605
Operation:writeName:ProgramId
Value:
00068b220cac8cbcfca5d8869f149f7b79eb0000ffff
(PID) Process:(4632) svchost.exeKey:\REGISTRY\A\{cd5fe01f-d190-e11c-eca9-171e7b03ecf7}\Root\InventoryApplicationFile\loader.exe|ea6e4fcf97a56605
Operation:writeName:FileId
Value:
000092e35bf9c952ecd36ac391760a1bea171846ad1f
(PID) Process:(4632) svchost.exeKey:\REGISTRY\A\{cd5fe01f-d190-e11c-eca9-171e7b03ecf7}\Root\InventoryApplicationFile\loader.exe|ea6e4fcf97a56605
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\appdata\local\temp\loader.exe
Executable files
4
Suspicious files
52
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
1208loader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
1304svchost.exeC:\Windows\System32\Tasks\Windows Update Taskxml
MD5:9862938BDBB1484E7E32D1D8AA295888
SHA256:71E4DFDC1AD69D86319A23AC5B7A072D8460DDE21B28179B8EF88F9F2612548A
1208loader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\spread[1].dllexecutable
MD5:A4782A85D43F7082DB91A66540B7A11D
SHA256:6DCEA307BEB2E656A982CE878384FF0354F39A26FB9999DC377A83689C13A952
1208loader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:3F0CC77601254902258501ACEFF48A07
SHA256:314A750807434BFEBF12F883C9C8018337D548509E86B8A903FB1A5A0E829A69
1784svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-61541290.pfbinary
MD5:A72ABC7EB376AB01A1353673055ED890
SHA256:C98E7CBCAB0A8BAE42535297B0F0C6EE5CB6EB924B3DF455D8DF260FE1F55905
1208loader.exeC:\Windows\System32\spread.dllexecutable
MD5:A4782A85D43F7082DB91A66540B7A11D
SHA256:6DCEA307BEB2E656A982CE878384FF0354F39A26FB9999DC377A83689C13A952
1208loader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:3810B14C5B895BFCB08DBD7952DDE6AB
SHA256:94EAF5366E5FA49F766227B8B7FA75A53CF73556FDDD8606C7387C5701A2D5F0
1784svchost.exeC:\Windows\Prefetch\SVCHOST.EXE-D1174AA4.pfbinary
MD5:8552BF7666D6B9025A1E22366D6C09C2
SHA256:B6F2A8E3C89D4DC52DDBA25CF8372C5C2F553410ECF5B04E29F1EF092A5DB6B0
1784svchost.exeC:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pfbinary
MD5:2487AD2968AE33B19607CD7B84F89E1F
SHA256:C01835D8175EB1037C15E15245A759A3467730F99EBE3F58092C0824E4303749
1784svchost.exeC:\Windows\Prefetch\SLUI.EXE-724E99D9.pfbinary
MD5:24DA0807C403CC8B776FC6B9EB0EC1A8
SHA256:A711FF4DF1D628DA2BB21158207981CABF6AB4F819DB540F50A2221E8FB5FA7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
35
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1208
loader.exe
GET
200
142.250.184.227:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
1208
loader.exe
GET
200
142.250.184.227:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1688
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1812
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
12220
WmiPrvSE.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
1812
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
12220
WmiPrvSE.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1208
loader.exe
104.21.57.147:443
cdn.starlab.sh
CLOUDFLARENET
unknown
1208
loader.exe
142.250.184.227:80
c.pki.goog
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1688
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1688
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
cdn.starlab.sh
  • 104.21.57.147
  • 172.67.146.164
unknown
c.pki.goog
  • 142.250.184.227
  • 142.250.186.99
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.155
  • 23.48.23.158
  • 23.48.23.173
  • 23.48.23.153
  • 23.48.23.169
  • 23.48.23.150
  • 23.48.23.168
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.69
  • 40.126.31.130
  • 20.190.159.129
  • 20.190.159.64
  • 20.190.159.131
  • 40.126.31.71
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.exe