File name:

VSetup.zip

Full analysis: https://app.any.run/tasks/e02585fc-4d90-443f-a4b2-286d04ce19cd
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 31, 2025, 19:42:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
eternity
ransomware
eternity ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

017E58BEE1282C15D1A72C75B3456DDC

SHA1:

06907DA07CD5C1A2BF18F425F1A31D7E66741012

SHA256:

1DF9BE8EDED0CCEEE4FC03C3B61BD4132F4D78EC041E56B45C8D6C65B9956B6D

SSDEEP:

12288:IHOCVT25qW7XpKXZitlAopf0YIVEfsySz7iuDo:zCVTKqeXpKX0tl5f0YIWlSz7iuDo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for self-deleting

      • winlogon.exe (PID: 3304)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 4976)

    • RANSOMWARE has been detected

      • winlogon.exe (PID: 4620)
      • winlogon.exe (PID: 7900)

    • ETERNITY has been detected (YARA)

      • winlogon.exe (PID: 7900)

    • Renames files like ransomware

      • winlogon.exe (PID: 7900)

    • ETERNIRY has been detected

      • winlogon.exe (PID: 7900)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 5324)

    • Drops 7-zip archiver for unpacking

      • winlogon.exe (PID: 3304)
      • VSetup.exe (PID: 6744)

    • Reads security settings of Internet Explorer

      • winlogon.exe (PID: 3304)

    • Starts a Microsoft application from unusual location

      • VSetup.exe (PID: 6744)

    • Executable content was dropped or overwritten

      • VSetup.exe (PID: 6744)
      • winlogon.exe (PID: 3304)

    • Application launched itself

      • winlogon.exe (PID: 4652)
      • winlogon.exe (PID: 7852)
      • winlogon.exe (PID: 4200)

    • Starts CMD.EXE for commands execution

      • winlogon.exe (PID: 3304)

    • The executable file from the user directory is run by the CMD process

      • winlogon.exe (PID: 7852)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4976)

    • The process executes via Task Scheduler

      • winlogon.exe (PID: 4200)

  • INFO

    • Manual execution by a user

      • VSetup.exe (PID: 6744)
      • Taskmgr.exe (PID: 7840)
      • Taskmgr.exe (PID: 7788)
      • Taskmgr.exe (PID: 2092)
      • Taskmgr.exe (PID: 7436)

    • Checks supported languages

      • VSetup.exe (PID: 6744)
      • winlogon.exe (PID: 4652)
      • chcp.com (PID: 8092)
      • winlogon.exe (PID: 7852)
      • winlogon.exe (PID: 7900)
      • winlogon.exe (PID: 3304)
      • winlogon.exe (PID: 4200)
      • winlogon.exe (PID: 4620)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5324)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 5324)
      • VSetup.exe (PID: 6744)
      • winlogon.exe (PID: 3304)

    • Reads the computer name

      • VSetup.exe (PID: 6744)
      • winlogon.exe (PID: 4652)
      • winlogon.exe (PID: 3304)
      • winlogon.exe (PID: 7852)
      • winlogon.exe (PID: 4620)
      • winlogon.exe (PID: 4200)
      • winlogon.exe (PID: 7900)

    • Create files in a temporary directory

      • VSetup.exe (PID: 6744)

    • Reads the machine GUID from the registry

      • winlogon.exe (PID: 4652)
      • winlogon.exe (PID: 3304)
      • winlogon.exe (PID: 7852)
      • winlogon.exe (PID: 4200)
      • winlogon.exe (PID: 4620)
      • winlogon.exe (PID: 7900)

    • Creates files or folders in the user directory

      • winlogon.exe (PID: 3304)

    • Changes the display of characters in the console

      • cmd.exe (PID: 4976)

    • Launch of the file from Task Scheduler

      • cmd.exe (PID: 4976)

    • Process checks computer location settings

      • winlogon.exe (PID: 3304)

    • Reads the software policy settings

      • slui.exe (PID: 7376)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 7436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Eternity

(PID) Process(7900) winlogon.exe
Strings (97)Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
taskmgr
processHacker
procmon
procmon64
mmc
ServiceHub
/C chcp 65001 &&
ping 127.0.0.1 &&
schtasks /create /tn "{0}" /sc MINUTE /tr "{1}" /rl {2} /f &&
LIMITED
HIGHEST
START "" "{0}"
cmd.exe
uk
Glory to Ukraine!
Blocked
Locked
Unlocked
Software
TimeLeft
Software
TimeLeft
Data deleted
dd\:hh\:mm\:ss
Please specify key file path
Please select private key (not public)
Invalid key
Failed decrypt:
Error
Data decrypted!
Success!
Select private key file
Arial
textBoxPrivateKeyPath
Yu Gothic UI
buttonDecrypt
Decrypt
Yu Gothic UI
labelEncryptionKey
Private key file:
Yu Gothic UI
textBoxDescription
Sample text
labelTitle
Eternity Ransomware
Yu Gothic UI
buttonExit
panelControls
Yu Gothic UI
buttonMinimize
-
Yu Gothic UI
buttonBrowsePrivateKeyFile
. . .
Yu Gothic UI
labelTimeLeft
Time Left: --.--.--.--
pictureBoxEncryptionState
MainForm
Eternity
86400
Firefox
<RSAKeyValue><Modulus>vbyD1urnWxQCko9c/rt5l+vuzm/GUVdnBVPJ+4/L5bqDSc3kxn8PXVx7mHCpLXZ76Hmy1I3k9/T+FlGoGgcp0/mR8X/2ZiWvzfpPUcw/s91kE+VSCOQq6mAb6CE7vjcLakvIzJh2W5tk31bClMblS2Jikj3L5X6zEzixZI6DU+LZmp488TnAZ2b3f2Ed17inbb31RbdxDdXvTVqMVxB+2ZUjrr/4zKoQ0XKHWAVpgk6zX85mCA3J2Ysd+fgnt6KJ+7rmlGhDzO5a3ZWxskHsPg...
.doc .docx .xls .xlsx .ppt .pptx .pst .ost .msg .eml .vsd .vsdx .txt .csv .rtf .123 .wks .wk1 .pdf .dwg .onetoc2 .snt .jpeg .jpg .docb .docm .dot .dotm .dotx .xlsm .xlsb .xlw .xlt . xlm .xlc .xltx .xltm .pptm .pot .pps .ppsm .ppsx .ppam .potx .potm .edb .hwp .602 .sxi .sti .sldx .sldm .sldm .vdi .vm...
.ecrp
rfambsorll
*
Software
/C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "{0}"
RSA private key required to decrypt credentials!
USERPROFILE
Downloads
DropBox
OneDrive
Software
EncryptedKeys
Software
Classes
shell\open\command
%1
\\.\root\default
systemrestore
sequencenumber
cmd.exe
/C chcp 65001 && vssadmin delete shadows /all /quiet
[Delete ShadowCopies] {0}
wallpaper.bmp
Control Panel\Desktop
WallpaperStyle
TileWallpaper
Eternity.Properties.Resources
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:05:31 12:40:20
ZipCRC: 0xf62f8734
ZipCompressedSize: 286471
ZipUncompressedSize: 336896
ZipFileName: VSetup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
20
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe vsetup.exe winlogon.exe no specs winlogon.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs schtasks.exe no specs winlogon.exe no specs #ETERNITY winlogon.exe no specs slui.exe no specs winlogon.exe no specs THREAT winlogon.exe no specs taskmgr.exe no specs taskmgr.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
732C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
856ping 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1328schtasks /create /tn "winlogon" /sc MINUTE /tr "C:\Users\admin\AppData\Local\ServiceHub\winlogon.exe" /rl LIMITED /f C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2092"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
2644C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3304"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
winlogon.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4200"C:\Users\admin\AppData\Local\ServiceHub\winlogon.exe"C:\Users\admin\AppData\Local\ServiceHub\winlogon.exesvchost.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\servicehub\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
4528\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4620"C:\Users\admin\AppData\Local\ServiceHub\winlogon.exe"C:\Users\admin\AppData\Local\ServiceHub\winlogon.exe
winlogon.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\servicehub\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
4652C:\Users\admin\AppData\Local\Temp\IXP000.TMP\winlogon.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\winlogon.exeVSetup.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
10 278
Read events
10 177
Write events
99
Delete events
2

Modification events

(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\VSetup.zip
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
49
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
6744VSetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\winlogon.exeexecutable
MD5:DAFC8E7CCD381AF36F19267A2A9B3F9B
SHA256:3CDED3354FBCFAAD7112C599B3622680A632E601602EA4F5FAA07A6BCC8CBEAF
5324WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5324.41127\VSetup.exeexecutable
MD5:8E4A2E5036C37B82D10564B40D21A12A
SHA256:F84FE2BA58361DEB21D92444A1F5FC061C7005E3C2B822270CBD34DB98895B83
7900winlogon.exeC:\Users\admin\Pictures\justiceeyes.png.ecrpbinary
MD5:9E40EFFF38B8B19D32BEABB7500C02FE
SHA256:642D8459CBB7AE5CD47EF37D817EA8B484BCDC3287A03DB215C272209D196D34
7900winlogon.exeC:\Users\admin\Pictures\laststay.jpg.ecrpbinary
MD5:FBFEF18ACCCC7A553DB7E257BF69661E
SHA256:4F20C00641B2BD58A773119961D6250D88D8495FC7802622475D429636E1B8F7
7900winlogon.exeC:\Users\admin\Pictures\novemberclients.pngbinary
MD5:4E689148074EF1F64534FBABEB7B57DB
SHA256:8A2C347551EA1B656F0C083481B724C7915426297357E05340CD008F1FA872A8
7900winlogon.exeC:\Users\admin\Pictures\resolutionpassword.png.ecrpbinary
MD5:8EB32E379442C688DD567EE52F164ADC
SHA256:292FCE743A296BAC2C30C70E7E1C89EE4A0DC3109D8210AFD2410000FEAA676E
7900winlogon.exeC:\Users\admin\Pictures\picturecharge.jpg.ecrpbinary
MD5:B2CAAB37EEFF29130C52E1A945E09B1F
SHA256:9019916328272BC7C321C91F94B4009B9208AC2773E7B7E8913B026248D541F4
7900winlogon.exeC:\Users\admin\Pictures\agentsestate.png.ecrpbinary
MD5:FC34F8F55C1CE986B328E025B29A12EE
SHA256:9007439614F57C48454B12260C8B767F4A002E853853AC6B4D343C2D39C6442F
7900winlogon.exeC:\Users\admin\Pictures\solutionsrussian.pngbinary
MD5:A89EDC2A3AD759D5FFEB42574BAF8986
SHA256:3A7EFAA804A17FA113797DBC7A47BF5E5B452C7D63FEC120CAB834033AA9640A
7900winlogon.exeC:\Users\admin\Pictures\laststay.jpgbinary
MD5:FBFEF18ACCCC7A553DB7E257BF69661E
SHA256:4F20C00641B2BD58A773119961D6250D88D8495FC7802622475D429636E1B8F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
31
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7216
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7216
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6960
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.71
  • 40.126.31.128
  • 20.190.159.0
  • 20.190.159.131
  • 40.126.31.131
  • 40.126.31.0
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.219.150.101
whitelisted
google.com
  • 142.250.186.46
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
VSetup.zip