File name:

DispatcherPlugin-en-US.msi

Full analysis: https://app.any.run/tasks/568fc0ff-0525-4d1a-8c53-1fcfca5691f2
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 12, 2024, 11:18:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installer for the Kodiak Web Dispatcher Plugin, Author: Kodiak Networks, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Motorola Solutions Web Dispatch Plugin., Template: Intel;1033, Revision Number: {E627BE5B-EA31-4454-B75D-019E711A9478}, Create Time/Date: Tue Nov 14 12:00:38 2023, Last Saved Time/Date: Tue Nov 14 12:00:38 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
MD5:

A28FF9C7F8A7857E3B098908B9B97A4E

SHA1:

C5DEEB10103277EC15D5FF01B9869E6A6488EFEF

SHA256:

F70318522C8D6B65873D2E0323086180F55D538EB28603ABBAC80BE45C0A4AC9

SSDEEP:

98304:Ri9NXUzsVJscRVre6QvhRHv6xruKMyBArG8FSTlgFy3zony1sjnODz3aRxwhCCHd:HUZGRlln/Sf3pftP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials

      • msiexec.exe (PID: 5532)
      • msiexec.exe (PID: 6840)
      • powershell.exe (PID: 2040)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 6840)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6840)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6840)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 6840)

    • Searches for installed software

      • explorer.exe (PID: 6580)

    • Application launched itself

      • powershell.exe (PID: 2040)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 2040)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2040)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3376)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6840)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6840)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5532)
      • explorer.exe (PID: 6580)

    • Checks proxy server information

      • msiexec.exe (PID: 5532)

    • Create files in a temporary directory

      • msiexec.exe (PID: 5532)

    • Reads the software policy settings

      • msiexec.exe (PID: 5532)
      • msiexec.exe (PID: 6840)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6840)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5532)
      • msiexec.exe (PID: 6840)

    • Reads the computer name

      • msiexec.exe (PID: 6840)
      • msiexec.exe (PID: 4088)

    • Checks supported languages

      • msiexec.exe (PID: 6840)
      • msiexec.exe (PID: 4088)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6840)

    • Manual execution by a user

      • powershell.exe (PID: 2040)

    • The process uses the downloaded file

      • powershell.exe (PID: 2040)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 2040)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Installer for the Kodiak Web Dispatcher Plugin
Author: Kodiak Networks, Inc.
Keywords: Installer
Comments: This installer database contains the logic and data required to install Motorola Solutions Web Dispatch Plugin.
Template: Intel;1033
RevisionNumber: {E627BE5B-EA31-4454-B75D-019E711A9478}
CreateDate: 2023:11:14 12:00:38
ModifyDate: 2023:11:14 12:00:38
Pages: 200
Words: 10
Software: Windows Installer XML (3.7.1224.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs COpenControlPanel no specs explorer.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1440C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2040"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3376C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3972C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
4088C:\Windows\syswow64\MsiExec.exe -Embedding 4A715BCB60B337A12A6123261EF45770C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5532"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\DispatcherPlugin-en-US.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6580C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
6656"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-ChildItem -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall' -ErrorAction SilentlyContinue | Select-Object @{n='GUID';e={.PSChildName}}, @{n='Name'; e={.GetValue('DisplayName')}}, @{n='Version'; e={.GetValue('DisplayVersion')}}, @{n='UninstallString'; e={.GetValue('UninstallString')}} | Export-CSV -NoTypeInformation -Path %programs_x86%"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
51 744
Read events
51 437
Write events
292
Delete events
15

Modification events

(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D022958A0505DB01B81A00000C0F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D022958A0505DB01B81A00000C0F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000EBCCD68A0505DB01B81A00000C0F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000EBCCD68A0505DB01B81A00000C0F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000002594DB8A0505DB01B81A00000C0F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000004A5CE08A0505DB01B81A00000C0F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000007FA34B8B0505DB01B81A00000C0F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C5064E8B0505DB01B81A0000A81B0000E803000001000000000000000000000049BF41244AB60B4DBBC35D9D965F7F5400000000000000000000000000000000
(PID) Process:(3376) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000060E4598B0505DB01300D00006C180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
11
Suspicious files
25
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
6840msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6840msiexec.exeC:\Windows\Installer\12e7a9.msi
MD5:
SHA256:
6840msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:1F9BD2DFC43D17561DCB408CC2D41D8B
SHA256:1BF955952A24D99F0BB9B2974EA71EB1283831D097B844A736D68499E52DF041
5532msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:31A325BCD02131A5BAC3CF5A5F1D2A17
SHA256:791F4C65B140AB355FD0C3AB5A9DFE8B5819F038A12527897A99CEB65DD7E50E
5532msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:A0BF2DC52E54D7F7CAB032AD689DCB11
SHA256:7410452E7C7712771D37FB50CEC14353B69EF8DC6BB08F9513BD5A7381911CA3
5532msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_CADED3E400DCCC9CCD0CFEF27D36C757binary
MD5:DA4810A5ADA23156B391F539A81B57BB
SHA256:72777BFF7E323ADE3DBFDB66399F8B0138985F4878352E3D96A76A6F52A11811
5532msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_CADED3E400DCCC9CCD0CFEF27D36C757binary
MD5:805DB67A63985609F9CDA2976B376BC3
SHA256:D0FDE878B37716D6610C22B3677FA137244CEE04F180CCA3EF50B8B65693C790
6840msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:9123163BE39832EEF492F0D31BBDA412
SHA256:7A8379787C161D82DAE51598FC69DF73FD49D9A9D244B8052264CEA86285EAF3
6840msiexec.exeC:\Users\admin\AppData\Local\DispatcherPlugin\npDispatcherPlugin.dllexecutable
MD5:C61F0213854DF569E9B9B9A121529A3D
SHA256:4CB1770AB03087FC0D02199CF8A6917C6B0255C6F23F653C3260E3816614A7E1
6840msiexec.exeC:\Users\admin\AppData\Local\DispatcherPlugin\kn_up_custom_kodiak.xmlxml
MD5:99B34D514041664CCB006D1E11070A97
SHA256:F0093F31F559C4E82606D994B3A647860CF4F0D99CFD1086EDB0880640B37683
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
61
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5532
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEApjmQYUOOOgumbulaoaXEE%3D
unknown
whitelisted
5532
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1944
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D
unknown
whitelisted
568
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6232
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6224
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5532
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1944
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1944
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.206
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.74
  • 40.126.32.133
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.138
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
www.bing.com
  • 104.126.37.186
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.184
  • 104.126.37.171
  • 104.126.37.179
  • 104.126.37.161
  • 104.126.37.155
whitelisted
r.bing.com
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.154
  • 104.126.37.144
  • 104.126.37.146
whitelisted
th.bing.com
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.179
  • 104.126.37.146
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.184
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DispatcherPlugin-en-US.msi