File name:

FlClash--windows-amd64-setup.exe

Full analysis: https://app.any.run/tasks/351b942c-e4fd-477a-8c6d-7080e7993b37
Verdict: Malicious activity
Analysis date: April 25, 2026, 07:21:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
evasion
antivm
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

F651DEB09B976F28D22D6534DCB21159

SHA1:

E1504F76385363793A3E48C7E447A6E41551FA99

SHA256:

0C3FBF0A8C31A7A3F3C053413CA9AA8E35BB10AA3392EF1215F878CD4D0CC65E

SSDEEP:

196608:wsceIoLWYs3BsX+k08f/5AYuM72CFFm7i9Vetml5CzbeweUGKO3aX1bcwcXTyJid:IZvsX+k0eRXb8BeMGUlEXTypo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • FlClash--windows-amd64-setup.exe (PID: 7800)
      • FlClash--windows-amd64-setup.exe (PID: 4784)
      • FlClash--windows-amd64-setup.tmp (PID: 5760)

    • Reads the Windows owner or organization settings

      • FlClash--windows-amd64-setup.tmp (PID: 5760)
      • FlClash.exe (PID: 1284)

    • Uses TASKKILL.EXE to kill process

      • FlClash--windows-amd64-setup.tmp (PID: 5760)

    • Reads the date of Windows installation

      • FlClash.exe (PID: 1284)

    • Windows service management via SC.EXE

      • sc.exe (PID: 3448)

    • Checks for external IP

      • FlClash.exe (PID: 1284)
      • svchost.exe (PID: 2232)

    • There is functionality for VM detection antiVM strings (YARA)

      • FlClashCore.exe (PID: 1684)

  • INFO

    • Create files in a temporary directory

      • FlClash--windows-amd64-setup.exe (PID: 7800)
      • FlClash--windows-amd64-setup.exe (PID: 4784)
      • FlClash--windows-amd64-setup.tmp (PID: 5760)

    • Checks supported languages

      • FlClash--windows-amd64-setup.exe (PID: 7800)
      • FlClash--windows-amd64-setup.tmp (PID: 2392)
      • FlClash--windows-amd64-setup.exe (PID: 4784)
      • FlClash--windows-amd64-setup.tmp (PID: 5760)
      • FlClash.exe (PID: 1284)
      • FlClashCore.exe (PID: 1684)

    • Reads security settings of Internet Explorer

      • FlClash--windows-amd64-setup.tmp (PID: 2392)
      • FlClash.exe (PID: 1284)

    • Reads the computer name

      • FlClash--windows-amd64-setup.tmp (PID: 2392)
      • FlClash--windows-amd64-setup.exe (PID: 4784)
      • FlClash--windows-amd64-setup.tmp (PID: 5760)
      • FlClash.exe (PID: 1284)
      • FlClashCore.exe (PID: 1684)

    • Process checks computer location settings

      • FlClash--windows-amd64-setup.tmp (PID: 2392)

    • Detects InnoSetup installer (YARA)

      • FlClash--windows-amd64-setup.exe (PID: 7800)
      • FlClash--windows-amd64-setup.exe (PID: 4784)
      • FlClash--windows-amd64-setup.tmp (PID: 2392)
      • FlClash--windows-amd64-setup.tmp (PID: 5760)

    • Compiled with Borland Delphi (YARA)

      • FlClash--windows-amd64-setup.exe (PID: 4784)
      • FlClash--windows-amd64-setup.tmp (PID: 5760)
      • FlClash--windows-amd64-setup.exe (PID: 7800)
      • FlClash--windows-amd64-setup.tmp (PID: 2392)

    • The sample compiled with english language support

      • FlClash--windows-amd64-setup.tmp (PID: 5760)

    • Reads product name

      • FlClash.exe (PID: 1284)

    • Creates a software uninstall entry

      • FlClash--windows-amd64-setup.tmp (PID: 5760)

    • Reads Windows Product ID

      • FlClash.exe (PID: 1284)

    • Reads Environment values

      • FlClash.exe (PID: 1284)

    • Disables trace logs

      • FlClash.exe (PID: 1284)

    • Creates files or folders in the user directory

      • FlClash.exe (PID: 1284)
      • FlClashCore.exe (PID: 1684)

    • There is functionality for taking screenshot (YARA)

      • FlClash.exe (PID: 1284)

    • Application based on Golang

      • FlClashCore.exe (PID: 1684)

    • Detects GO elliptic curve encryption (YARA)

      • FlClashCore.exe (PID: 1684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:01:02 11:55:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 725504
InitializedDataSize: 120832
UninitializedDataSize: -
EntryPoint: 0xb1e60
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: FlClash Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: FlClash
ProductVersion: 0.8.92+2026020201
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
16
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1284"C:\Program Files\FlClash\\FlClash.exe"C:\Program Files\FlClash\FlClash.exe
FlClash--windows-amd64-setup.tmp
User:
admin
Company:
com.follow
Integrity Level:
HIGH
Description:
FlClash
Version:
0.8.92+2026020201
Modules
Images
c:\program files\flclash\flclash.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\dwmapi.dll
1684"C:\Program Files\FlClash\FlClashCore.exe" 49983C:\Program Files\FlClash\FlClashCore.exeFlClash.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files\flclash\flclashcore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2392"C:\Users\admin\AppData\Local\Temp\is-PYI1JXEOJP.tmp\FlClash--windows-amd64-setup.tmp" /SL5="$A02A0,30427807,847360,C:\Users\admin\Desktop\FlClash--windows-amd64-setup.exe" C:\Users\admin\AppData\Local\Temp\is-PYI1JXEOJP.tmp\FlClash--windows-amd64-setup.tmpFlClash--windows-amd64-setup.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1054.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pyi1jxeojp.tmp\flclash--windows-amd64-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
3448sc query FlClashHelperServiceC:\Windows\System32\sc.exeFlClash.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeFlClashCore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4784"C:\Users\admin\Desktop\FlClash--windows-amd64-setup.exe" /SPAWNWND=$24031A /FIRSTWND=$A02A0 C:\Users\admin\Desktop\FlClash--windows-amd64-setup.exe
FlClash--windows-amd64-setup.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
FlClash Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\flclash--windows-amd64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
5304"taskkill" /f /im FlClashCore.exeC:\Windows\System32\taskkill.exeFlClash--windows-amd64-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5760"C:\Users\admin\AppData\Local\Temp\is-UQ75RQ9TIW.tmp\FlClash--windows-amd64-setup.tmp" /SL5="$1703AC,30427807,847360,C:\Users\admin\Desktop\FlClash--windows-amd64-setup.exe" /SPAWNWND=$24031A /FIRSTWND=$A02A0 C:\Users\admin\AppData\Local\Temp\is-UQ75RQ9TIW.tmp\FlClash--windows-amd64-setup.tmp
FlClash--windows-amd64-setup.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1054.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-uq75rq9tiw.tmp\flclash--windows-amd64-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
4 849
Read events
4 816
Write events
33
Delete events
0

Modification events

(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.7.0
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\FlClash
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\FlClash\
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
desktopicon
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:DisplayName
Value:
FlClash version 0.8.92+2026020201
(PID) Process:(5760) FlClash--windows-amd64-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\728B3532-C74B-4870-9068-BE70FE12A3E6_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\FlClash\unins000.exe"
Executable files
43
Suspicious files
24
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\is-3TTL95G30Y.tmp
MD5:
SHA256:
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\FlClashCore.exe
MD5:
SHA256:
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\dynamic_color_plugin.dllexecutable
MD5:8C5E6BC122A514011110FE78B73C98C6
SHA256:5FB02D9FE44F5D69A3F37997305CCBFDD762CDE2E171D8FDA8C3A1FE7907E591
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\is-ZI9CZHOKQC.tmpexecutable
MD5:5D16400084F534535C922180C562BD70
SHA256:0CCF6F4B2F6E89DDB50B3075FD6B604EF7C0D6B13CE377781D898DCD8F9C91D7
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\FlClash.exeexecutable
MD5:A3FAB6C1073385A0F6387E10A6BE27AF
SHA256:A74F74D87F25B28C9ECAB6FB527174A7A8E793495060A558E55B2D81916DE526
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\unins000.exeexecutable
MD5:A4E045C1DE6D04B05291FACEEF54EC74
SHA256:99CE72B0AF057AFA45C14AF1533CF5E93415CB02C4F6EFAA57932DCFA0FE4BCC
7800FlClash--windows-amd64-setup.exeC:\Users\admin\AppData\Local\Temp\is-PYI1JXEOJP.tmp\FlClash--windows-amd64-setup.tmpexecutable
MD5:5EF0E38988660A8F95667E85E41BEF29
SHA256:99EE7E3492866965E413F09A8435C6C58A3D5DFD105535032FDF446580C7BC09
5760FlClash--windows-amd64-setup.tmpC:\Users\admin\AppData\Local\Temp\is-FRMOGDH3SU.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4784FlClash--windows-amd64-setup.exeC:\Users\admin\AppData\Local\Temp\is-UQ75RQ9TIW.tmp\FlClash--windows-amd64-setup.tmpexecutable
MD5:5EF0E38988660A8F95667E85E41BEF29
SHA256:99EE7E3492866965E413F09A8435C6C58A3D5DFD105535032FDF446580C7BC09
5760FlClash--windows-amd64-setup.tmpC:\Program Files\FlClash\is-WG1NPN475S.tmpexecutable
MD5:A4E045C1DE6D04B05291FACEEF54EC74
SHA256:99CE72B0AF057AFA45C14AF1533CF5E93415CB02C4F6EFAA57932DCFA0FE4BCC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
29
DNS requests
24
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3044
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3044
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
1284
FlClash.exe
GET
172.66.175.107:443
https://ipwho.is/
US
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
5532
SearchApp.exe
POST
204
92.123.104.66:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&f=9&wsbc=1
unknown
whitelisted
1284
FlClash.exe
GET
200
208.95.112.1:80
http://208.95.112.1:80/json
US
text
295 b
unknown
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3044
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3044
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
2828
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5208
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3044
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.154.102
  • 142.250.154.139
  • 142.250.154.101
  • 142.250.154.113
  • 142.250.154.138
  • 142.250.154.100
whitelisted
www.bing.com
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.205
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
ipwho.is
  • 104.20.44.133
  • 172.66.175.107
whitelisted
api.myip.com
  • 172.67.75.163
  • 104.26.9.59
  • 104.26.8.59
whitelisted
ipapi.co
  • 104.26.9.44
  • 172.67.69.226
  • 104.26.8.44
  • 2606:4700:20::681a:82c
  • 2606:4700:20::ac43:45e2
  • 2606:4700:20::681a:92c
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2232
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ident .me) in DNS Lookup
2232
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ident .me) in DNS Lookup
2232
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
2232
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
2232
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2232
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
2232
svchost.exe
Misc activity
INFO [ANY.RUN] External IP Check (ip-api .com)
2232
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2232
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FlClash--windows-amd64-setup.exe