File name:

DispatcherPlugin-en-US.msi

Full analysis: https://app.any.run/tasks/568fc0ff-0525-4d1a-8c53-1fcfca5691f2
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 12, 2024, 11:18:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installer for the Kodiak Web Dispatcher Plugin, Author: Kodiak Networks, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Motorola Solutions Web Dispatch Plugin., Template: Intel;1033, Revision Number: {E627BE5B-EA31-4454-B75D-019E711A9478}, Create Time/Date: Tue Nov 14 12:00:38 2023, Last Saved Time/Date: Tue Nov 14 12:00:38 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
MD5:

A28FF9C7F8A7857E3B098908B9B97A4E

SHA1:

C5DEEB10103277EC15D5FF01B9869E6A6488EFEF

SHA256:

F70318522C8D6B65873D2E0323086180F55D538EB28603ABBAC80BE45C0A4AC9

SSDEEP:

98304:Ri9NXUzsVJscRVre6QvhRHv6xruKMyBArG8FSTlgFy3zony1sjnODz3aRxwhCCHd:HUZGRlln/Sf3pftP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials

      • msiexec.exe (PID: 5532)
      • powershell.exe (PID: 2040)
      • msiexec.exe (PID: 6840)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6840)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3376)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6840)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 6840)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 6840)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6840)

    • Searches for installed software

      • explorer.exe (PID: 6580)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 2040)

    • Application launched itself

      • powershell.exe (PID: 2040)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2040)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6840)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5532)
      • explorer.exe (PID: 6580)

    • Reads the software policy settings

      • msiexec.exe (PID: 5532)
      • msiexec.exe (PID: 6840)

    • Reads the computer name

      • msiexec.exe (PID: 6840)
      • msiexec.exe (PID: 4088)

    • Checks supported languages

      • msiexec.exe (PID: 6840)
      • msiexec.exe (PID: 4088)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5532)
      • msiexec.exe (PID: 6840)

    • Checks proxy server information

      • msiexec.exe (PID: 5532)

    • Create files in a temporary directory

      • msiexec.exe (PID: 5532)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6840)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6840)

    • Manual execution by a user

      • powershell.exe (PID: 2040)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 2040)

    • The process uses the downloaded file

      • powershell.exe (PID: 2040)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Installer for the Kodiak Web Dispatcher Plugin
Author: Kodiak Networks, Inc.
Keywords: Installer
Comments: This installer database contains the logic and data required to install Motorola Solutions Web Dispatch Plugin.
Template: Intel;1033
RevisionNumber: {E627BE5B-EA31-4454-B75D-019E711A9478}
CreateDate: 2023:11:14 12:00:38
ModifyDate: 2023:11:14 12:00:38
Pages: 200
Words: 10
Software: Windows Installer XML (3.7.1224.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs COpenControlPanel no specs explorer.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1440C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2040"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3376C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3972C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
4088C:\Windows\syswow64\MsiExec.exe -Embedding 4A715BCB60B337A12A6123261EF45770C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5532"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\DispatcherPlugin-en-US.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6580C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
6656"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-ChildItem -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall' -ErrorAction SilentlyContinue | Select-Object @{n='GUID';e={.PSChildName}}, @{n='Name'; e={.GetValue('DisplayName')}}, @{n='Version'; e={.GetValue('DisplayVersion')}}, @{n='UninstallString'; e={.GetValue('UninstallString')}} | Export-CSV -NoTypeInformation -Path %programs_x86%"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
51 744
Read events
51 437
Write events
292
Delete events
15

Modification events

(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D022958A0505DB01B81A00000C0F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D022958A0505DB01B81A00000C0F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000EBCCD68A0505DB01B81A00000C0F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000EBCCD68A0505DB01B81A00000C0F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000002594DB8A0505DB01B81A00000C0F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000004A5CE08A0505DB01B81A00000C0F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000007FA34B8B0505DB01B81A00000C0F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C5064E8B0505DB01B81A0000A81B0000E803000001000000000000000000000049BF41244AB60B4DBBC35D9D965F7F5400000000000000000000000000000000
(PID) Process:(3376) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000060E4598B0505DB01300D00006C180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
11
Suspicious files
25
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
6840msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6840msiexec.exeC:\Windows\Installer\12e7a9.msi
MD5:
SHA256:
5532msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:31A325BCD02131A5BAC3CF5A5F1D2A17
SHA256:791F4C65B140AB355FD0C3AB5A9DFE8B5819F038A12527897A99CEB65DD7E50E
6840msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2441bf49-b64a-4d0b-bbc3-5d9d965f7f54}_OnDiskSnapshotPropbinary
MD5:1F9BD2DFC43D17561DCB408CC2D41D8B
SHA256:1BF955952A24D99F0BB9B2974EA71EB1283831D097B844A736D68499E52DF041
5532msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:A0BF2DC52E54D7F7CAB032AD689DCB11
SHA256:7410452E7C7712771D37FB50CEC14353B69EF8DC6BB08F9513BD5A7381911CA3
6840msiexec.exeC:\Users\admin\AppData\Local\DispatcherPlugin\CDE.dllexecutable
MD5:ADC17C0A00C5321F5BE831457035115B
SHA256:596D36E1E0F8390F774C348826E475A18F154CFFF9B291F8B75E093D8AE839B9
6840msiexec.exeC:\Windows\Installer\MSIEA0A.tmpbinary
MD5:7EE2DF6EAAA5211D853E34C16D77D503
SHA256:7FA1A9C83D4ED9327E83A894E080D229DAC55C6D18A43EA91C27261A7A1CC37F
6840msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:9123163BE39832EEF492F0D31BBDA412
SHA256:7A8379787C161D82DAE51598FC69DF73FD49D9A9D244B8052264CEA86285EAF3
6840msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:1F9BD2DFC43D17561DCB408CC2D41D8B
SHA256:1BF955952A24D99F0BB9B2974EA71EB1283831D097B844A736D68499E52DF041
6840msiexec.exeC:\Windows\Temp\~DFEA57D95EEFD30193.TMPbinary
MD5:9123163BE39832EEF492F0D31BBDA412
SHA256:7A8379787C161D82DAE51598FC69DF73FD49D9A9D244B8052264CEA86285EAF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
61
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5532
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
1944
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5532
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEApjmQYUOOOgumbulaoaXEE%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
568
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
568
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6232
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6224
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5532
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1944
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1944
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.206
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.74
  • 40.126.32.133
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.138
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
www.bing.com
  • 104.126.37.186
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.184
  • 104.126.37.171
  • 104.126.37.179
  • 104.126.37.161
  • 104.126.37.155
whitelisted
r.bing.com
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.154
  • 104.126.37.144
  • 104.126.37.146
whitelisted
th.bing.com
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.179
  • 104.126.37.146
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.184
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DispatcherPlugin-en-US.msi