File name:

f8dd11ef.msi

Full analysis: https://app.any.run/tasks/2a47903e-046c-4bd5-ad12-ebdc8111bdb4
Verdict: Malicious activity
Analysis date: February 25, 2025, 16:56:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {5E26995F-3113-4E88-9385-DC218163D9F7}, Title: WildfireVPNInstaller, Author: VPN, Number of Words: 2, Last Saved Time/Date: Thu May 26 12:14:06 2022, Last Printed: Thu May 26 12:14:06 2022
MD5:

5236C7A180ADDDCFF57B497A5E076EFB

SHA1:

7264A6DA5D371846A8F31F5C1BFEC8CB27C9F1AD

SHA256:

216C0E8C8A4A10FF0C99E0473D36BCC689085C9779E5B010699588CF4B831ACB

SSDEEP:

98304:3qiRM4orbBqX75b27kFzX0qxvh3YDK1p1mQhSHaq2vTtPrgZmIqETNT6LE3qNhVT:zyCsK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WildfireInstaller.exe (PID: 1868)

    • UAC/LUA settings modification

      • WildfireInstaller.exe (PID: 1868)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6012)
      • msiexec.exe (PID: 4708)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4932)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 4708)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1864)
      • ShellExperienceHost.exe (PID: 5236)

  • INFO

    • The sample compiled with english language support

      • msiexec.exe (PID: 6012)
      • msiexec.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6012)

    • Checks proxy server information

      • msiexec.exe (PID: 6012)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6012)

    • Reads the computer name

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 5604)
      • msiexec.exe (PID: 1864)
      • WildfireInstaller.exe (PID: 1868)

    • Checks supported languages

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 5604)
      • WildfireInstaller.exe (PID: 1868)
      • ShellExperienceHost.exe (PID: 5236)
      • msiexec.exe (PID: 1864)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4708)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 1864)
      • WildfireInstaller.exe (PID: 1868)

    • Manages system restore points

      • SrTasks.exe (PID: 4076)

    • Reads the software policy settings

      • msiexec.exe (PID: 4708)
      • msiexec.exe (PID: 6012)
      • WildfireInstaller.exe (PID: 1868)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4708)

    • Process checks whether UAC notifications are on

      • WildfireInstaller.exe (PID: 1868)

    • Process checks computer location settings

      • msiexec.exe (PID: 1864)

    • Disables trace logs

      • WildfireInstaller.exe (PID: 1868)

    • Reads Environment values

      • WildfireInstaller.exe (PID: 1868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CreateDate: 1999:06:21 07:00:00
Software: Windows Installer
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Template: x64;1033
Pages: 200
RevisionNumber: {5E26995F-3113-4E88-9385-DC218163D9F7}
Title: WildfireVPNInstaller
Subject: -
Author: VPN
Keywords: -
Comments: -
Words: 2
ModifyDate: 2022:05:26 12:14:06
LastPrinted: 2022:05:26 12:14:06
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe Set Network Location Elevated Virtual Factory no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs wildfireinstaller.exe shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1864C:\Windows\syswow64\MsiExec.exe -Embedding E8FAB90FB9483BFB60F3CAA0ABE8C2D1 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1868"C:\Program Files\VPN\WildfireVPNInstaller\WildfireInstaller.exe" C:\Program Files\VPN\WildfireVPNInstaller\WildfireInstaller.exe
msiexec.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
WildfireInstaller
Version:
1.0.9
Modules
Images
c:\program files\vpn\wildfirevpninstaller\wildfireinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4076C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4708C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4932C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5236"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
5604C:\Windows\syswow64\MsiExec.exe -Embedding 5AEB3822CEED5A8D8D63721BDA7AA480C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6004C:\WINDOWS\system32\DllHost.exe /Processid:{46B988E8-BEC2-401F-A1C5-16C694F26D3E}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6012"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\f8dd11ef.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
17 554
Read events
17 261
Write events
275
Delete events
18

Modification events

(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000002389FB3BA687DB0164120000CC110000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000047EEFD3BA687DB0164120000CC110000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000D7349F3DA687DB0164120000CC110000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000D7349F3DA687DB0164120000CC110000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000000E9FD33DA687DB0164120000CC110000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000BC38DD3DA687DB0164120000CC110000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D31AF43EA687DB0164120000EC000000E80300000100000000000000000000005A14CD39B371AF4797F37C2FCAC2D7F300000000000000000000000000000000
(PID) Process:(4932) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(4932) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000008DF50B3FA687DB0144130000080C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4932) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
Executable files
12
Suspicious files
26
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
4708msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1binary
MD5:7E5E9912DE7A985FF6257B5E3005DE2C
SHA256:EC0BDEA0FCC54BE0A302CAC5A2513186CCD5A9E1BD9DE7C8DD81CE1773141571
4708msiexec.exeC:\Windows\Installer\MSI47F4.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_A19D3B149B41A46ACB4D7263B773D682binary
MD5:B8FD5D48AC5FF17B3DB360FF1E94DB44
SHA256:1ED4999BCAE023CD5D7EAEF45CF98B3163292BFA87BB69F97B1E1EF4123817C6
5604msiexec.exeC:\Users\admin\AppData\Local\Temp\CFG490D.tmpxml
MD5:68675E0D405C8C76102802FA624EB895
SHA256:B839CDD1C3F55651CD4D0E54A679BCE5AC60ED7618A7B74BFC8EF8CA311E53ED
4708msiexec.exeC:\Program Files\VPN\WildfireVPNInstaller\WildfireInstaller.exeexecutable
MD5:01DF6BF0594BA13F11B292D77C7F551C
SHA256:51737AB6AFD35D3EB93220517F408B290E30000802D7BE5763017356ADAB2D75
4708msiexec.exeC:\Windows\Temp\~DF449F867248C9BF3E.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1binary
MD5:30FAAB52CF9539EEFBE3E378C36DC8ED
SHA256:FF2B56462CA57FA5CDEBB5CE8559B4A62F1A0E006F23316C74984E7F44769BD5
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9D1B23D8271BCBFB5C2E6E3DB3E5DE6binary
MD5:35A1A3ACE0D5925C8AC8227C2A244C48
SHA256:A3428D47DB5FE355ED97C17437D6037B27E26D45368221575318B2C7D14FA022
6012msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_A19D3B149B41A46ACB4D7263B773D682binary
MD5:7FFDDB6D30ECD1E07898C65C22DCFE0B
SHA256:40E6F3C172111A990B366F41AF0AAFF3A2AE6EB91FD9E15884B75C415CC04AEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6012
msiexec.exe
GET
200
2.19.195.179:80
http://sslcom.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEGL4EqNfUr10txjWEKxLR4M%3D
unknown
whitelisted
2148
RUXIMICS.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2148
RUXIMICS.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6012
msiexec.exe
GET
200
108.138.36.51:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
6012
msiexec.exe
GET
200
108.138.36.51:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
6012
msiexec.exe
GET
200
18.244.18.92:80
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl
unknown
whitelisted
6012
msiexec.exe
GET
200
108.138.36.51:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSoEwb5tith0jIBy9frSyNGB1lsAAQUNr1J%2FzEs669qQP6ZwBbtuvxI3V8CEGfIBwKQgamZ1Z2RtfvqwNM%3D
unknown
whitelisted
GET
200
188.114.96.3:443
https://validuser.cpv.workers.dev/
unknown
binary
27 b
shared
GET
200
188.114.97.3:443
https://validuser.cpv.workers.dev/?ip=72.51.111.4
unknown
binary
19 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2148
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3704
svchost.exe
239.255.255.250:3702
whitelisted
6012
msiexec.exe
2.19.195.179:80
sslcom.ocsp-certum.com
Akamai International B.V.
NL
whitelisted
3896
dasHost.exe
239.255.255.250:3702
whitelisted
3160
svchost.exe
239.255.255.250:1900
whitelisted
2148
RUXIMICS.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6012
msiexec.exe
108.138.36.51:80
ocsps.ssl.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
sslcom.ocsp-certum.com
  • 2.19.195.179
  • 2.19.195.234
whitelisted
crl.microsoft.com
  • 23.48.23.153
  • 23.48.23.149
  • 23.48.23.150
  • 23.48.23.160
  • 23.48.23.144
  • 23.48.23.154
  • 23.48.23.161
  • 23.48.23.148
  • 23.48.23.155
whitelisted
ocsps.ssl.com
  • 108.138.36.51
  • 108.138.36.12
  • 108.138.36.71
  • 108.138.36.22
whitelisted
www.microsoft.com
  • 104.85.1.163
whitelisted
crls.ssl.com
  • 18.244.18.92
  • 18.244.18.55
  • 18.244.18.54
  • 18.244.18.60
whitelisted
vpn.status77.com
unknown
validuser.cpv.workers.dev
  • 188.114.97.3
  • 188.114.96.3
shared
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
2192
svchost.exe
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
1868
WildfireInstaller.exe
Misc activity
ET INFO Observed Cloudflare workers.dev Domain in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f8dd11ef.msi