File name:

ee.exe

Full analysis: https://app.any.run/tasks/40fb71c6-3de3-4a53-89ff-bb968a56c75c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 29, 2026, 15:02:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
antivm
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 8 sections
MD5:

1847BDCDD89C0095AEFF787BFA950C31

SHA1:

11575A6132F6F6F2040FA2F64ADD9F79B6DDF303

SHA256:

E63619D7B614924DC14451CDCC6648C95D9510022923F355EFC3530D419334F8

SSDEEP:

98304:2/G9YLOOJlz1oaEODDxN0BQI/WIu+3iL5U8+opJVaeSoWbFDYOG3N/Ssvzn0KaWh:5IKQLT3AH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/change shared resources

      • ee.exe (PID: 2436)
      • net.exe (PID: 2960)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 2996)
      • net.exe (PID: 2220)
      • net.exe (PID: 680)
      • net.exe (PID: 7692)
      • net.exe (PID: 2832)
      • net.exe (PID: 3756)
      • ee.exe (PID: 2436)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 4136)
      • net.exe (PID: 2652)
      • net.exe (PID: 7684)
      • net.exe (PID: 7780)
      • net.exe (PID: 7588)
      • net.exe (PID: 7580)
      • net.exe (PID: 5772)
      • net.exe (PID: 5524)
      • net.exe (PID: 7656)
      • net.exe (PID: 6108)
      • net.exe (PID: 6892)
      • net.exe (PID: 2528)
      • net.exe (PID: 4304)
      • net.exe (PID: 2728)
      • net.exe (PID: 4704)
      • net.exe (PID: 6412)
      • net.exe (PID: 1824)
      • ee.exe (PID: 2436)
      • net.exe (PID: 7704)
      • net.exe (PID: 8052)

    • Starts NET.EXE to view/change users group

      • ee.exe (PID: 2436)
      • net.exe (PID: 6412)

    • Starts NET.EXE to view/change login properties

      • ee.exe (PID: 2436)
      • net.exe (PID: 6412)
      • net.exe (PID: 7604)

    • Steals credentials from Web Browsers

      • ee.exe (PID: 2436)

    • Actions looks like stealing of personal data

      • ee.exe (PID: 2436)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • ee.exe (PID: 2436)

    • Reads the BIOS version

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain a list of video controllers

      • ee.exe (PID: 2436)

    • Uses powercfg.exe to modify the power settings

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain memory chip information

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain CPU information

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • ee.exe (PID: 2436)

    • The process bypasses the loading of PowerShell profile settings

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain desktop monitor information

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain BIOS management information

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain system information

      • ee.exe (PID: 2436)

    • Process uses ARP to discover network configuration

      • ee.exe (PID: 2436)

    • Uses ROUTE.EXE to obtain the routing table information

      • ee.exe (PID: 2436)

    • Suspicious use of NETSH.EXE

      • ee.exe (PID: 2436)

    • Gets the security privileges of the current user with WHOAMI command

      • ee.exe (PID: 2436)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 3156)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 3156)

    • Searches for installed software

      • ee.exe (PID: 2436)

    • Starts NET.EXE to map network drives

      • ee.exe (PID: 2436)

    • Uses NETSH.EXE to obtain data on the network

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain Windows Installer data

      • ee.exe (PID: 2436)

    • There is functionality for VM detection VMWare (YARA)

      • ee.exe (PID: 2436)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 8140)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 3536)

    • Uses QWINSTA.EXE to read information about user sessions on remote desktops

      • ee.exe (PID: 2436)

    • Uses WMIC.EXE to obtain quick Fix Engineering (patches) data

      • ee.exe (PID: 2436)

    • Lists all scheduled tasks in specific format

      • schtasks.exe (PID: 4816)

    • Named pipe usage

      • cmd.exe (PID: 7776)

    • Possible stealing from browsers

      • ee.exe (PID: 2436)

    • Process checks Powershell history file

      • ee.exe (PID: 2436)

    • Possible stealing of cloud data

      • ee.exe (PID: 2436)

    • Process checks presence of unattended files

      • ee.exe (PID: 2436)

    • Creates file in the systems drive root

      • ee.exe (PID: 2436)

    • Get credential information from host via cmdkey

      • ee.exe (PID: 2436)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2032)
      • sc.exe (PID: 7708)

    • Uses WMIC.EXE for persistence

      • ee.exe (PID: 2436)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 3536)

  • INFO

    • Reads the computer name

      • ee.exe (PID: 2436)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • ee.exe (PID: 2436)

    • Reads the machine GUID from the registry

      • ee.exe (PID: 2436)

    • Checks supported languages

      • ee.exe (PID: 2436)

    • Reads Environment values

      • ee.exe (PID: 2436)

    • Reads product name

      • ee.exe (PID: 2436)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1312)
      • WMIC.exe (PID: 2116)
      • WMIC.exe (PID: 6112)
      • WMIC.exe (PID: 1404)
      • WMIC.exe (PID: 4944)
      • WMIC.exe (PID: 5876)
      • WMIC.exe (PID: 7316)
      • WMIC.exe (PID: 6856)
      • WMIC.exe (PID: 7508)
      • WMIC.exe (PID: 1500)
      • WMIC.exe (PID: 7556)
      • WMIC.exe (PID: 3552)
      • WMIC.exe (PID: 2652)
      • WMIC.exe (PID: 4348)
      • WMIC.exe (PID: 1116)

    • Reads CPU info

      • ee.exe (PID: 2436)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6260)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 6884)

    • Application based on Golang

      • ee.exe (PID: 2436)

    • Reads the time zone

      • net1.exe (PID: 5168)
      • net1.exe (PID: 1116)
      • net1.exe (PID: 5892)
      • net1.exe (PID: 4684)
      • net1.exe (PID: 5760)

    • Process checks whether UAC notifications are on

      • ee.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 12889600
InitializedDataSize: 468480
UninitializedDataSize: -
EntryPoint: 0x6f7a0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
100
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start ee.exe conhost.exe no specs powershell.exe no specs powershell.exe no specs powercfg.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs powershell.exe no specs arp.exe no specs route.exe no specs net.exe no specs net1.exe no specs net.exe no specs netsh.exe no specs wmic.exe no specs netsh.exe no specs whoami.exe no specs manage-bde.exe no specs auditpol.exe no specs powershell.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs qwinsta.exe no specs wmic.exe no specs tiworker.exe no specs powershell.exe no specs schtasks.exe no specs cmd.exe no specs cmdkey.exe no specs cmd.exe no specs vaultcmd.exe no specs powershell.exe no specs sc.exe no specs sc.exe no specs logman.exe no specs wmic.exe no specs wmic.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416C:\WINDOWS\system32\net1 localgroup "Remote Desktop Users"C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
672C:\WINDOWS\system32\net1 localgroupC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
680net user AdministratorC:\Windows\System32\net.exeee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
684cmdkey /listC:\Windows\System32\cmdkey.exeee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Credential Manager Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmdkey.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1116C:\WINDOWS\system32\net1 user adminC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
1116wmic /namespace:\\root\subscription path __FilterToConsumerBinding get /format:listC:\Windows\System32\wbem\WMIC.exeee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1176C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1192C:\WINDOWS\system32\net1 localgroup "Distributed COM Users"C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
1284vaultcmd "/listcreds:\"Windows Credentials\"" /allC:\Windows\System32\VaultCmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Vault cmdline Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vaultcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
1312wmic path Win32_VideoController get Name,AdapterRAM,DriverVersion,VideoProcessor,CurrentHorizontalResolution,CurrentVerticalResolution,AdapterCompatibility /format:listC:\Windows\System32\wbem\WMIC.exeee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
50 424
Read events
50 421
Write events
3
Delete events
0

Modification events

(PID) Process:(4056) powercfg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\system32\powrprof.dll,-15
Value:
Balanced
(PID) Process:(1176) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31244173
(PID) Process:(1176) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
430071919
Executable files
0
Suspicious files
1
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
1176TiWorker.exeC:\Windows\Logs\CBS\CBS.log
MD5:
SHA256:
2396powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gtwkisxg.0uy.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6424powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b1gh3g0y.vwd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2396powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mswydbih.rm2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6424powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_foz22ycg.ffq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wdpt4e4s.xy2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbojaidn.irn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zeksougy.1j4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3156powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_owod3kzw.m4l.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2396powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1A907899CA63AE252D190F215E0E0B34
SHA256:24885E019A5EE6A6B5E5812FC2E353297A262D8800718F22D3B857B209870ECA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
38
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4680
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
2960
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
text
512 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7984
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7984
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2960
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
text
512 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.129:443
https://login.live.com/RST2.srf
unknown
binary
1.24 Kb
whitelisted
5316
svchost.exe
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
1.24 Kb
whitelisted
4680
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
binary
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7984
svchost.exe
23.216.77.42:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7984
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5208
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2960
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 192.178.183.101
  • 192.178.183.138
  • 192.178.183.102
  • 192.178.183.113
  • 192.178.183.100
  • 192.178.183.139
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.30
  • 23.216.77.38
  • 23.216.77.6
  • 23.216.77.8
  • 23.216.77.25
  • 23.216.77.22
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.74
  • 40.126.32.133
  • 20.190.160.2
  • 20.190.160.67
  • 20.190.160.22
  • 40.126.32.138
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
whitelisted
self.events.data.microsoft.com
  • 20.50.73.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ee.exe