File name:

f8dd11ef.msi

Full analysis: https://app.any.run/tasks/2a47903e-046c-4bd5-ad12-ebdc8111bdb4
Verdict: Malicious activity
Analysis date: February 25, 2025, 16:56:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {5E26995F-3113-4E88-9385-DC218163D9F7}, Title: WildfireVPNInstaller, Author: VPN, Number of Words: 2, Last Saved Time/Date: Thu May 26 12:14:06 2022, Last Printed: Thu May 26 12:14:06 2022
MD5:

5236C7A180ADDDCFF57B497A5E076EFB

SHA1:

7264A6DA5D371846A8F31F5C1BFEC8CB27C9F1AD

SHA256:

216C0E8C8A4A10FF0C99E0473D36BCC689085C9779E5B010699588CF4B831ACB

SSDEEP:

98304:3qiRM4orbBqX75b27kFzX0qxvh3YDK1p1mQhSHaq2vTtPrgZmIqETNT6LE3qNhVT:zyCsK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WildfireInstaller.exe (PID: 1868)

    • UAC/LUA settings modification

      • WildfireInstaller.exe (PID: 1868)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 4932)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6012)
      • msiexec.exe (PID: 4708)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1864)
      • ShellExperienceHost.exe (PID: 5236)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 4708)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6012)

    • The sample compiled with english language support

      • msiexec.exe (PID: 6012)
      • msiexec.exe (PID: 4708)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6012)

    • Checks proxy server information

      • msiexec.exe (PID: 6012)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4708)

    • Manages system restore points

      • SrTasks.exe (PID: 4076)

    • Checks supported languages

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 5604)
      • msiexec.exe (PID: 1864)
      • WildfireInstaller.exe (PID: 1868)
      • ShellExperienceHost.exe (PID: 5236)

    • Reads the computer name

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 5604)
      • WildfireInstaller.exe (PID: 1868)
      • msiexec.exe (PID: 1864)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 1864)
      • WildfireInstaller.exe (PID: 1868)

    • Reads the software policy settings

      • msiexec.exe (PID: 6012)
      • msiexec.exe (PID: 4708)
      • WildfireInstaller.exe (PID: 1868)

    • Process checks computer location settings

      • msiexec.exe (PID: 1864)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4708)

    • Reads Environment values

      • WildfireInstaller.exe (PID: 1868)

    • Disables trace logs

      • WildfireInstaller.exe (PID: 1868)

    • Process checks whether UAC notifications are on

      • WildfireInstaller.exe (PID: 1868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CreateDate: 1999:06:21 07:00:00
Software: Windows Installer
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Template: x64;1033
Pages: 200
RevisionNumber: {5E26995F-3113-4E88-9385-DC218163D9F7}
Title: WildfireVPNInstaller
Subject: -
Author: VPN
Keywords: -
Comments: -
Words: 2
ModifyDate: 2022:05:26 12:14:06
LastPrinted: 2022:05:26 12:14:06
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe Set Network Location Elevated Virtual Factory no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs wildfireinstaller.exe shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1864C:\Windows\syswow64\MsiExec.exe -Embedding E8FAB90FB9483BFB60F3CAA0ABE8C2D1 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1868"C:\Program Files\VPN\WildfireVPNInstaller\WildfireInstaller.exe" C:\Program Files\VPN\WildfireVPNInstaller\WildfireInstaller.exe
msiexec.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
WildfireInstaller
Version:
1.0.9
Modules
Images
c:\program files\vpn\wildfirevpninstaller\wildfireinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4076C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4708C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4932C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5236"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
5604C:\Windows\syswow64\MsiExec.exe -Embedding 5AEB3822CEED5A8D8D63721BDA7AA480C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6004C:\WINDOWS\system32\DllHost.exe /Processid:{46B988E8-BEC2-401F-A1C5-16C694F26D3E}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6012"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\f8dd11ef.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
17 554
Read events
17 261
Write events
275
Delete events
18

Modification events

(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000002389FB3BA687DB0164120000CC110000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000047EEFD3BA687DB0164120000CC110000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000D7349F3DA687DB0164120000CC110000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000D7349F3DA687DB0164120000CC110000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000000E9FD33DA687DB0164120000CC110000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000BC38DD3DA687DB0164120000CC110000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D31AF43EA687DB0164120000EC000000E80300000100000000000000000000005A14CD39B371AF4797F37C2FCAC2D7F300000000000000000000000000000000
(PID) Process:(4932) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(4932) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000008DF50B3FA687DB0144130000080C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4932) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
Executable files
12
Suspicious files
26
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
4708msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_A19D3B149B41A46ACB4D7263B773D682binary
MD5:7FFDDB6D30ECD1E07898C65C22DCFE0B
SHA256:40E6F3C172111A990B366F41AF0AAFF3A2AE6EB91FD9E15884B75C415CC04AEF
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_A19D3B149B41A46ACB4D7263B773D682binary
MD5:B8FD5D48AC5FF17B3DB360FF1E94DB44
SHA256:1ED4999BCAE023CD5D7EAEF45CF98B3163292BFA87BB69F97B1E1EF4123817C6
4708msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{39cd145a-71b3-47af-97f3-7c2fcac2d7f3}_OnDiskSnapshotPropbinary
MD5:7EED23A7798D62EAA0AC7BA9E621110C
SHA256:B5CC8873CC31B63358753D3F77D08FF1A9F80A23506F8F05941A6660ED53F756
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9D1B23D8271BCBFB5C2E6E3DB3E5DE6binary
MD5:7BDEE8689BFEE6E6488CF73C113B46D1
SHA256:AE0989B8F3F667EEEC9C3E3376B7BFDB9C55F84BD7796B74AD8747E13930EBD7
5604msiexec.exeC:\Users\admin\AppData\Local\Temp\CFG490D.tmpxml
MD5:68675E0D405C8C76102802FA624EB895
SHA256:B839CDD1C3F55651CD4D0E54A679BCE5AC60ED7618A7B74BFC8EF8CA311E53ED
4708msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:7EED23A7798D62EAA0AC7BA9E621110C
SHA256:B5CC8873CC31B63358753D3F77D08FF1A9F80A23506F8F05941A6660ED53F756
4708msiexec.exeC:\Windows\Installer\MSI4AE4.tmpbinary
MD5:CE37D17DC122CD1CACC6EA438639F825
SHA256:C9D3B73030FDFBD56937EF7F8A52768CDDA73944262C549C01B555A393FCD780
4708msiexec.exeC:\Windows\Installer\1442f3.msiexecutable
MD5:5236C7A180ADDDCFF57B497A5E076EFB
SHA256:216C0E8C8A4A10FF0C99E0473D36BCC689085C9779E5B010699588CF4B831ACB
4708msiexec.exeC:\Windows\Temp\~DF44A3126B7860FA32.TMPbinary
MD5:92323FD4249EB5674B41AECC4F0CA55D
SHA256:EAC2FF2D5E74C16D95A8BC0026FCC6E7743FFAC800ADF121637031CEF7FDF7F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6012
msiexec.exe
GET
200
2.19.195.179:80
http://sslcom.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEGL4EqNfUr10txjWEKxLR4M%3D
unknown
whitelisted
2148
RUXIMICS.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2148
RUXIMICS.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6012
msiexec.exe
GET
200
108.138.36.51:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
6012
msiexec.exe
GET
200
108.138.36.51:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
6012
msiexec.exe
GET
200
18.244.18.92:80
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl
unknown
whitelisted
6012
msiexec.exe
GET
200
108.138.36.51:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSoEwb5tith0jIBy9frSyNGB1lsAAQUNr1J%2FzEs669qQP6ZwBbtuvxI3V8CEGfIBwKQgamZ1Z2RtfvqwNM%3D
unknown
whitelisted
GET
200
188.114.97.3:443
https://validuser.cpv.workers.dev/?ip=72.51.111.4
unknown
binary
19 b
shared
GET
200
188.114.96.3:443
https://validuser.cpv.workers.dev/
unknown
binary
27 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2148
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3704
svchost.exe
239.255.255.250:3702
whitelisted
6012
msiexec.exe
2.19.195.179:80
sslcom.ocsp-certum.com
Akamai International B.V.
NL
whitelisted
3896
dasHost.exe
239.255.255.250:3702
whitelisted
3160
svchost.exe
239.255.255.250:1900
whitelisted
2148
RUXIMICS.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6012
msiexec.exe
108.138.36.51:80
ocsps.ssl.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
sslcom.ocsp-certum.com
  • 2.19.195.179
  • 2.19.195.234
whitelisted
crl.microsoft.com
  • 23.48.23.153
  • 23.48.23.149
  • 23.48.23.150
  • 23.48.23.160
  • 23.48.23.144
  • 23.48.23.154
  • 23.48.23.161
  • 23.48.23.148
  • 23.48.23.155
whitelisted
ocsps.ssl.com
  • 108.138.36.51
  • 108.138.36.12
  • 108.138.36.71
  • 108.138.36.22
whitelisted
www.microsoft.com
  • 104.85.1.163
whitelisted
crls.ssl.com
  • 18.244.18.92
  • 18.244.18.55
  • 18.244.18.54
  • 18.244.18.60
whitelisted
vpn.status77.com
unknown
validuser.cpv.workers.dev
  • 188.114.97.3
  • 188.114.96.3
shared
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
2192
svchost.exe
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
1868
WildfireInstaller.exe
Misc activity
ET INFO Observed Cloudflare workers.dev Domain in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f8dd11ef.msi