File name:

D.zip

Full analysis: https://app.any.run/tasks/07dc9099-1085-4b4f-adc2-820be53d8bc4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 29, 2024, 06:55:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D38535009A7E38A3A206641385306DEF

SHA1:

A33E290844F4701A56EE6DE69D0A662EFFA8ABB7

SHA256:

EF87057E16A41A109A35E434B1F08C41E5FE2237C7B6D649827259C6664ED897

SSDEEP:

98304:5o+GPZKaRrKNPSi4OJEigTenq0oAlb0Vn2rPVn7biy71XHyU4ppk4rMsvWgozKuo:IGcP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4808)

    • Accesses name of a computer manufacturer via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses Physical Memory (Win32_PhysicalMemory, may evade sandboxes) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses Processor(Win32_Processor, may evade sandboxes) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses Motherboard(Win32_BaseBoard, may evade sandboxes) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses BIOS(Win32_BIOS, may evade sandboxes) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses Video Controller(Win32_VideoController, may evade sandboxes) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses physical disk drive(Win32_DiskDrive) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses Sound Device(Win32_SoundDevice, may evade sandboxes) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses network adapter’s MAC address via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses the network adapter (Win32_NetworkAdapter) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 6940)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4152)

    • Access Product Name via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Executes WMI query (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses operating system name via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses computer name via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses WMI object caption (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses video controller name via WMI (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Checks Windows Trust Settings

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Reads security settings of Internet Explorer

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4808)

    • Checks proxy server information

      • slui.exe (PID: 3076)
      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Reads the computer name

      • 蓝云工具箱.exe (PID: 6224)
      • PLUGScheduler.exe (PID: 4152)
      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Manual execution by a user

      • 蓝云工具箱.exe (PID: 6224)
      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • UPX packer has been detected

      • 蓝云工具箱.exe (PID: 6224)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6940)
      • dllhost.exe (PID: 3888)

    • Checks supported languages

      • 蓝云工具箱.exe (PID: 6224)
      • PLUGScheduler.exe (PID: 4152)
      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Checks transactions between databases Windows and Oracle

      • rundll32.exe (PID: 6096)

    • Reads the software policy settings

      • dllhost.exe (PID: 3888)
      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 4152)

    • Reads Environment values

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)

    • Creates files or folders in the user directory

      • 蓝云工具箱.exe (PID: 6168)

    • Reads the machine GUID from the registry

      • 蓝云工具箱.exe (PID: 6168)
      • 蓝云工具箱.exe (PID: 6960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:03:16 03:28:00
ZipCRC: 0x7ea0667c
ZipCompressedSize: 714189
ZipUncompressedSize: 1853952
ZipFileName: ExuiKrnln_Win32.lib
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
288
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe THREAT 蓝云工具箱.exe no specs explorer.exe no specs COpenControlPanel no specs rundll32.exe no specs %systemroot%\system32\intl.cpl no specs chsime.exe no specs plugscheduler.exe no specs 蓝云工具箱.exe 蓝云工具箱.exe

Process information

PID
CMD
Path
Indicators
Parent process
3076C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3888C:\WINDOWS\system32\DllHost.exe /Processid:{514B5E31-5596-422F-BE58-D804464683B5}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
1073807364
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
4152"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4808"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\D.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5556C:\Windows\System32\InputMethod\CHS\ChsIME.exe -EmbeddingC:\Windows\System32\InputMethod\CHS\ChsIME.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft IME
Exit code:
1073807364
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\inputmethod\chs\chsime.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5592C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
6096"C:\WINDOWS\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cplC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6168"C:\Users\admin\Desktop\ck\蓝云工具箱.exe" C:\Users\admin\Desktop\ck\蓝云工具箱.exe
explorer.exe
User:
admin
Company:
万物永存技术工作室
Integrity Level:
MEDIUM
Description:
蓝云工具箱主程序
Exit code:
3221225547
Version:
5.6.0.560
Modules
Images
c:\users\admin\desktop\ck\蓝云工具箱.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6224"C:\Users\admin\Desktop\ck\蓝云工具箱.exe" C:\Users\admin\Desktop\ck\蓝云工具箱.exe
explorer.exe
User:
admin
Company:
万物永存技术工作室
Integrity Level:
MEDIUM
Description:
蓝云工具箱主程序
Exit code:
1073807364
Version:
5.6.0.560
Modules
Images
c:\users\admin\desktop\ck\蓝云工具箱.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6940C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1073807364
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
Total events
23 181
Read events
21 766
Write events
1 209
Delete events
206

Modification events

(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\D.zip
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop\ck
(PID) Process:(4808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
3
Suspicious files
21
Text files
3
Unknown types
11

Dropped files

PID
Process
Filename
Type
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.032.etletl
MD5:673727AF7C6805E869C9F8BE1E468F4A
SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.031.etletl
MD5:079890A8EC8D5CB6523FCEC2209780AA
SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.030.etletl
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB
SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50
4808WinRAR.exeC:\Users\admin\Desktop\ck\蓝云工具箱.exeexecutable
MD5:85525D43DA8A4DD88BB4B2BE046DF9D0
SHA256:E3811FA2D1C62B482C2A67D44A83CA2FEEC929B84E65814B303DD5058D072A11
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.029.etletl
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.028.etletl
MD5:44A0E917AD0C126931B1BCD959285A9A
SHA256:DDFBE47E7DFD6D8B7517F2F6FF9808ECF3C0A25F588A9F96D04F4E2B4A578573
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.034.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
4808WinRAR.exeC:\Users\admin\Desktop\ck\硬件检测引擎.dllexecutable
MD5:7C7C2D1F2AB39039E7691950784FCDDA
SHA256:08821486CFD9130D4ACDA60DDD9785CE7EC0179154FEAD60584C467136930C0C
4152PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.021.etletl
MD5:89BD161BF7B46C9078937CF832786737
SHA256:2B83DF5532E9F54ED301C8F82E2CDD489799C8D5222A2D44C97DCB151A96FAA9
4808WinRAR.exeC:\Users\admin\Desktop\ck\更新日志.htmlhtml
MD5:1500BBDFDD933A7558B4C9D487C58D0D
SHA256:0442521F9CE208DA243885E47117E28666E72E6F9EDFAFF1E6F6366524DFEC8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
87
DNS requests
53
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2888
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
4172
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4172
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2816
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6424
WmiPrvSE.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
svchost.exe
239.255.255.250:1900
whitelisted
6964
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5368
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5368
SearchApp.exe
2.23.209.162:443
www.bing.com
Akamai International B.V.
GB
unknown
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1180
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3688
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2432
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 2.23.209.162
  • 2.23.209.166
  • 2.23.209.153
  • 2.23.209.156
  • 2.23.209.155
  • 2.23.209.160
  • 2.23.209.159
  • 2.23.209.154
  • 2.23.209.158
  • 2.23.209.136
  • 2.23.209.193
  • 2.23.209.192
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.131
  • 2.23.209.139
  • 2.23.209.191
  • 2.23.209.140
  • 2.23.209.142
  • 2.23.209.150
  • 2.23.209.143
  • 2.23.209.148
  • 104.126.37.160
  • 104.126.37.186
  • 104.126.37.123
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.128
  • 104.126.37.170
  • 104.126.37.130
  • 104.126.37.185
  • 104.126.37.177
  • 104.126.37.176
  • 104.126.37.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.71
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
  • 20.199.58.43
whitelisted
th.bing.com
  • 2.23.209.160
  • 2.23.209.159
  • 2.23.209.163
  • 2.23.209.167
  • 2.23.209.166
  • 2.23.209.168
  • 2.23.209.169
  • 2.23.209.175
  • 2.23.209.162
  • 2.23.209.140
  • 2.23.209.142
  • 2.23.209.150
  • 2.23.209.139
  • 2.23.209.154
  • 2.23.209.143
  • 2.23.209.153
  • 2.23.209.148
  • 2.23.209.136
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.145
  • 104.126.37.154
  • 104.126.37.144
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info