analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Windows Update.exe

Full analysis: https://app.any.run/tasks/23e1cc70-56da-4011-bec5-9dd02a018016
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 29, 2020, 16:54:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5FF1D397C5DEF736687FD438464F4911

SHA1:

DDCE0A2C3DDFC4739465504369E5297C62193FA4

SHA256:

E14078197E37D94FC3FC665A7A95B2C72CFD8E7F46400121D81D5089622DAC12

SSDEEP:

49152:M30dWPtn/qapAPO2ANpxrd2wexS3TYoxsz+:M3CWPtFAPOVpJsnSMoxsq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • Windows Update.exe (PID: 3004)
      • XINOF4.3.2 86 slaves.exe (PID: 2788)
      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 1824)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 2536)
      • cmd.exe (PID: 2200)
      • cmd.exe (PID: 3556)
      • cmd.exe (PID: 848)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2984)
      • schtasks.exe (PID: 2616)
      • schtasks.exe (PID: 320)
      • schtasks.exe (PID: 1944)

    • Writes to a start menu file

      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 1824)
      • XINOF4.3.2 86 slaves.exe (PID: 2788)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2144)
      • reg.exe (PID: 2868)
      • reg.exe (PID: 2272)
      • reg.exe (PID: 3392)

    • Application was dropped or rewritten from another process

      • XINOF4.3.2 86 slaves.exe (PID: 2788)

    • Task Manager has been disabled (taskmgr)

      • reg.exe (PID: 1700)

    • Disables Windows Defender

      • reg.exe (PID: 3948)

    • Changes settings of System certificates

      • mshta.exe (PID: 2876)

    • Renames files like Ransomware

      • XINOF4.3.2 86 slaves.exe (PID: 2788)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • Windows Update.exe (PID: 3004)

    • Drops a file with a compile date too recent

      • Windows Update.exe (PID: 3004)
      • XINOF4.3.2 86 slaves.exe (PID: 2788)
      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 1824)

    • Executable content was dropped or overwritten

      • Windows Update.exe (PID: 3004)
      • XINOF4.3.2 86 slaves.exe (PID: 2788)
      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 1824)

    • Creates files in the program directory

      • XINOF4.3.2 86 slaves.exe (PID: 2788)
      • cmd.exe (PID: 1824)
      • cmd.exe (PID: 1716)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2152)

    • Starts CMD.EXE for commands execution

      • XINOF4.3.2 86 slaves.exe (PID: 2788)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 3940)

    • Creates files in the user directory

      • cmd.exe (PID: 1704)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1848)
      • cmd.exe (PID: 2444)
      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 3036)
      • cmd.exe (PID: 3176)
      • cmd.exe (PID: 1172)
      • cmd.exe (PID: 972)
      • cmd.exe (PID: 1340)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 1668)
      • cmd.exe (PID: 992)

    • Application launched itself

      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 3940)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 1900)

    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 3320)

    • Creates files like Ransomware instruction

      • cmd.exe (PID: 1824)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 480)

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 2876)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • XINOF4.3.2 86 slaves.exe (PID: 2788)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 2876)

    • Dropped object may contain Bitcoin addresses

      • XINOF4.3.2 86 slaves.exe (PID: 2788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (82.9)
.exe | InstallShield setup (5.3)
.exe | Win32 EXE PECompact compressed (generic) (5.1)
.exe | UPX compressed Win32 Executable (3.3)
.exe | Win32 Executable Delphi generic (1.7)

EXIF

EXE

ProductVersion: 6.0.0.0
ProductName: -
OriginalFileName:
LegalTrademarks: -
LegalCopyright: Copyright © 2020
InternalName: -
FileVersion: 6.0.6.162
FileDescription: Windows Update
CompanyName: microsoft
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 6.0.6.162
FileVersionNumber: 6.0.6.162
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1ca28c
UninitializedDataSize: -
InitializedDataSize: 1099776
CodeSize: 1876480
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: microsoft
FileDescription: Windows Update
FileVersion: 6.0.6.162
InternalName: -
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFilename: -
ProductName: -
ProductVersion: 6.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x001CA0B4
0x001CA200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.43534
DATA
0x001CC000
0x0000969C
0x00009800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.19931
BSS
0x001D6000
0x00674421
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x0084B000
0x000031E4
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.06798
.tls
0x0084F000
0x00000040
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x00850000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.190489
.reloc
0x00851000
0x0001B308
0x0001B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.66963
.rsrc
0x0086D000
0x000E4654
0x000E4800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.19576

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.95218
581
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
2.80231
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
3
3.00046
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
4
2.56318
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
5
2.6949
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
6
2.62527
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
7
2.91604
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
8
2.94931
308
Latin 1 / Western European
Chinese - PRC
RT_CURSOR
9
2.65772
308
Latin 1 / Western European
Chinese - PRC
RT_CURSOR
10
2.2183
308
Latin 1 / Western European
Chinese - PRC
RT_CURSOR

Imports

advapi32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
54
Malicious processes
2
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start start windows update.exe no specs windows update.exe xinof4.3.2 86 slaves.exe cmd.exe no specs chcp.com no specs cmd.exe schtasks.exe no specs cmd.exe cmd.exe cmd.exe schtasks.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs reg.exe cmd.exe no specs reg.exe cmd.exe no specs reg.exe cmd.exe no specs reg.exe cmd.exe schtasks.exe no specs cmd.exe schtasks.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs icacls.exe no specs cmd.exe no specs taskkill.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\Users\admin\AppData\Local\Temp\Windows Update.exe" C:\Users\admin\AppData\Local\Temp\Windows Update.exeexplorer.exe
User:
admin
Company:
microsoft
Integrity Level:
MEDIUM
Description:
Windows Update
Exit code:
3221226540
Version:
6.0.6.162
3004"C:\Users\admin\AppData\Local\Temp\Windows Update.exe" C:\Users\admin\AppData\Local\Temp\Windows Update.exe
explorer.exe
User:
admin
Company:
microsoft
Integrity Level:
HIGH
Description:
Windows Update
Exit code:
0
Version:
6.0.6.162
2788"C:\Users\admin\AppData\Local\Temp\AutoRunPro0\XINOF4.3.2 86 slaves.exe" C:\Users\admin\AppData\Local\Temp\AutoRunPro0\XINOF4.3.2 86 slaves.exe
Windows Update.exe
User:
admin
Integrity Level:
HIGH
2152C:\Windows\system32\cmd.exe /c chcp 437C:\Windows\system32\cmd.exeXINOF4.3.2 86 slaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2156chcp 437C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2536C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /FC:\Windows\system32\cmd.exe
XINOF4.3.2 86 slaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2984schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /FC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1704C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"C:\Windows\system32\cmd.exe
XINOF4.3.2 86 slaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1824C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"C:\Windows\system32\cmd.exe
XINOF4.3.2 86 slaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2200C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /FC:\Windows\system32\cmd.exe
XINOF4.3.2 86 slaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
670
Read events
632
Write events
37
Delete events
1

Modification events

(PID) Process:(3004) Windows Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3004) Windows Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2144) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Michael Gillespie
Value:
C:\ProgramData\XINOF.exe
(PID) Process:(3392) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Michael Gillespie
Value:
C:\ProgramData\XINOF.exe
(PID) Process:(2272) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Michael Gillespie
Value:
C:\ProgramData\XINOF.exe
(PID) Process:(2868) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Michael Gillespie
Value:
C:\ProgramData\XINOF.exe
(PID) Process:(2588) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(1700) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(3948) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(2972) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
Operation:delete valueName:AlternateShell
Value:
cmd.exe
Executable files
5
Suspicious files
4 095
Text files
48
Unknown types
128

Dropped files

PID
Process
Filename
Type
1824cmd.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exeexecutable
MD5:0783D1A6ADBA6C3B14887B1E79E8BC8D
SHA256:A452C62023D0FED72D31BA2D1B23CD8842128778E87083AC10E89C4B6B68AA79
3004Windows Update.exeC:\Users\admin\AppData\Local\Temp\AutoRunPro0\autorun.arubinary
MD5:C60A898A3C8C24428A992E8A477AC398
SHA256:93F07ABCCFD0B5F69AD131D14C380F71D5D8AA02723984716928405E60EA5FFE
3004Windows Update.exeC:\Users\admin\AppData\Local\Temp\AutoRunPro0\XINOF4.3.2 86 slaves.exeexecutable
MD5:0783D1A6ADBA6C3B14887B1E79E8BC8D
SHA256:A452C62023D0FED72D31BA2D1B23CD8842128778E87083AC10E89C4B6B68AA79
1716cmd.exeC:\ProgramData\SystemIDtext
MD5:159430D4046E5A853A559DDC9610A2D7
SHA256:208E65F3183F6F09A822464924EDEF781F7DB1D9DFE4BA5178CBB044BF2E4889
3004Windows Update.exeC:\Users\admin\AppData\Local\Temp\AutoRunPro0\autorun.exeexecutable
MD5:5FF1D397C5DEF736687FD438464F4911
SHA256:E14078197E37D94FC3FC665A7A95B2C72CFD8E7F46400121D81D5089622DAC12
3088cmd.exeC:\ProgramData\Cpub.keyder
MD5:6BD1A6BD7C8BAA8B9CC9A0FF1AC20ADD
SHA256:740EB25D64BF0E7AD5C1B897945FC860C28E3BBA1CE4C097828D20B58BDF837F
2788XINOF4.3.2 86 slaves.exeC:\ProgramData\Help.txttext
MD5:2172DDC9533451898D68429F523302B5
SHA256:7EF7BB01F264756D620E25281C49868902972E6576CC0636BD95E3E138E632C3
2788XINOF4.3.2 86 slaves.exeC:\Users\admin\AppData\Local\Temp\Cpub.keyder
MD5:6BD1A6BD7C8BAA8B9CC9A0FF1AC20ADD
SHA256:740EB25D64BF0E7AD5C1B897945FC860C28E3BBA1CE4C097828D20B58BDF837F
2788XINOF4.3.2 86 slaves.exeC:\ProgramData\XINOF.exeexecutable
MD5:0783D1A6ADBA6C3B14887B1E79E8BC8D
SHA256:A452C62023D0FED72D31BA2D1B23CD8842128778E87083AC10E89C4B6B68AA79
1704cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exeexecutable
MD5:0783D1A6ADBA6C3B14887B1E79E8BC8D
SHA256:A452C62023D0FED72D31BA2D1B23CD8842128778E87083AC10E89C4B6B68AA79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2876
mshta.exe
GET
200
23.55.163.71:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
US
der
1.37 Kb
whitelisted
2876
mshta.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2876
mshta.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2876
mshta.exe
GET
200
23.55.163.67:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgSKQELDREbw0%2F0sEVi41vTPPQ%3D%3D
US
der
527 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2876
mshta.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
2876
mshta.exe
23.55.163.67:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
US
unknown
2876
mshta.exe
209.197.3.24:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious
2876
mshta.exe
23.55.163.71:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
US
suspicious
2876
mshta.exe
212.33.193.82:443
uupload.ir
Honar Rayaneh Pooya Andisheh PJSC
IR
unknown
192.168.100.175:137
malicious

DNS requests

Domain
IP
Reputation
code.jquery.com
  • 209.197.3.24
whitelisted
uupload.ir
  • 212.33.193.82
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
isrg.trustid.ocsp.identrust.com
  • 23.55.163.71
  • 23.55.163.61
whitelisted
ocsp.int-x3.letsencrypt.org
  • 23.55.163.67
  • 23.55.163.68
  • 23.55.163.58
  • 23.55.163.61
  • 23.55.163.54
  • 23.55.163.53
  • 23.55.163.64
  • 23.55.163.60
  • 23.55.163.62
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows Update.exe