File name:

223ad291bcb76fa7750a4590a3dc31d7b2f14d96de97bbaab466f4eb4bd007a1.zip

Full analysis: https://app.any.run/tasks/bad40c89-df66-480b-9a3c-f58f9e35e8ea
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 30, 2026, 13:56:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
anti-evasion
vmprotect
valleyrat
rat
silverfox
winos
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

3FCE93B0E3D922213ABF9A1985292FAD

SHA1:

8821C5E15656888FB9BCC411CEAFA15AEEC6DA3D

SHA256:

223AD291BCB76FA7750A4590A3DC31D7B2F14D96DE97BBAAB466F4EB4BD007A1

SSDEEP:

98304:samZu9FvbdT8PFKyALCLjJm8N/fMnwTpfIiqaU7w1YgOwYPWg/heFTlP4/BI1A8W:fPjJdTdcpviLlt/0MovajkExem

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects the decoding of a binary file from Base64 (SCRIPT)

      • wscript.exe (PID: 4384)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 4384)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 5708)
      • tasklist.exe (PID: 3140)

    • Starts CMD.EXE for self-deleting

      • RunCode.exe (PID: 1192)

    • VALLEYRAT has been detected (YARA)

      • WUDFCompanionHoste.exe (PID: 1132)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • QSv_SO0jUc_LFpKprtP5KC1Gg5CsIMIsoht1gLKT_RXW8_5izhxfKYKJUbB7oM0UeFHK2L4x.exe (PID: 4488)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • QSv_SO0jUc_LFpKprtP5KC1Gg5CsIMIsoht1gLKT_RXW8_5izhxfKYKJUbB7oM0UeFHK2L4x.exe (PID: 4488)

    • Drops 7-zip archiver for unpacking

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • TauriInstaller.exe (PID: 6112)
      • powershell.exe (PID: 2216)

    • Executable content was dropped or overwritten

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • RunSetup.exe (PID: 4240)
      • powershell.exe (PID: 2216)
      • XBazJkKaYJZmkVB.xml (PID: 4272)
      • RunCode.exe (PID: 1192)
      • StartMenuExperienceHostker.exe (PID: 5404)
      • QSv_SO0jUc_LFpKprtP5KC1Gg5CsIMIsoht1gLKT_RXW8_5izhxfKYKJUbB7oM0UeFHK2L4x.exe (PID: 4488)
      • RunSetup.exe (PID: 4236)
      • wscript.exe (PID: 4384)

    • Reads the Windows owner or organization settings

      • RunSetup.tmp (PID: 7616)
      • RunSetup.tmp (PID: 7840)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4384)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 4384)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 4384)

    • Get information on the list of running processes

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 1776)
      • TauriInstaller.exe (PID: 6112)
      • cmd.exe (PID: 3612)
      • cmd.exe (PID: 5708)
      • cmd.exe (PID: 6116)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 3612)
      • cmd.exe (PID: 5708)
      • cmd.exe (PID: 6116)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 4956)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 4384)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 4384)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 2216)

    • Starts POWERSHELL.EXE for commands execution

      • TauriInstaller.exe (PID: 6112)
      • cmd.exe (PID: 7856)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 4384)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 2216)
      • StartMenuExperienceHostker.exe (PID: 5404)
      • WUDFCompanionHoste.exe (PID: 1132)
      • XBazJkKaYJZmkVB.xml (PID: 4272)
      • RunCode.exe (PID: 1192)
      • cmd.exe (PID: 6108)

    • Drops a system driver (possible attempt to evade defenses)

      • StartMenuExperienceHostker.exe (PID: 5404)

    • Starts application with an unusual extension

      • TauriInstaller.exe (PID: 6112)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4384)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 4384)

    • Hides command output

      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 6108)

    • Starts CMD.EXE with output disabled

      • cmd.exe (PID: 6108)

    • File deletion via cmd.exe

      • cmd.exe (PID: 6108)

    • Self-deletion pattern has been detected

      • RunCode.exe (PID: 1192)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7856)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6108)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7856)

    • Uses NETSH.EXE to change the status of the firewall

      • StartMenuExperienceHostker.exe (PID: 5404)

    • Reads the date of Windows installation

      • StartMenuExperienceHostker.exe (PID: 5404)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 4956)

  • INFO

    • Manual execution by a user

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 7668)
      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • wscript.exe (PID: 4384)

    • Checks supported languages

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • RunSetup.exe (PID: 4240)
      • RunSetup.tmp (PID: 7616)
      • TauriInstaller.exe (PID: 6112)
      • RunCode.exe (PID: 1192)
      • StartMenuExperienceHostker.exe (PID: 5404)
      • WUDFCompanionHoste.exe (PID: 1132)
      • XBazJkKaYJZmkVB.xml (PID: 4272)
      • QSv_SO0jUc_LFpKprtP5KC1Gg5CsIMIsoht1gLKT_RXW8_5izhxfKYKJUbB7oM0UeFHK2L4x.exe (PID: 4488)
      • RunSetup.exe (PID: 4236)
      • RunSetup.tmp (PID: 7840)
      • TauriInstaller.exe (PID: 7836)

    • Create files in a temporary directory

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • RunSetup.exe (PID: 4240)
      • QSv_SO0jUc_LFpKprtP5KC1Gg5CsIMIsoht1gLKT_RXW8_5izhxfKYKJUbB7oM0UeFHK2L4x.exe (PID: 4488)
      • RunSetup.exe (PID: 4236)

    • The sample compiled with english language support

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • TauriInstaller.exe (PID: 6112)
      • powershell.exe (PID: 2216)
      • RunCode.exe (PID: 1192)
      • wscript.exe (PID: 4384)

    • Reads the computer name

      • RunSetup.exe (PID: 4240)
      • RunSetup.tmp (PID: 7616)
      • XBazJkKaYJZmkVB.xml (PID: 4272)
      • StartMenuExperienceHostker.exe (PID: 5404)
      • WUDFCompanionHoste.exe (PID: 1132)
      • RunSetup.exe (PID: 4236)
      • RunSetup.tmp (PID: 7840)
      • RunCode.exe (PID: 1192)

    • Creates a software uninstall entry

      • ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exe (PID: 3692)
      • QSv_SO0jUc_LFpKprtP5KC1Gg5CsIMIsoht1gLKT_RXW8_5izhxfKYKJUbB7oM0UeFHK2L4x.exe (PID: 4488)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2216)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2216)

    • Using PowerShell for ZIP File Operations

      • powershell.exe (PID: 2216)

    • VMProtect protector has been detected

      • StartMenuExperienceHostker.exe (PID: 5404)

    • Process checks computer location settings

      • StartMenuExperienceHostker.exe (PID: 5404)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHostker.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2026:04:30 16:42:32
ZipCRC: 0x8e89af0f
ZipCompressedSize: 7646211
ZipUncompressedSize: 10242258
ZipFileName: ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.vbs
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
188
Monitored processes
50
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1132C:\Users\Public\Documents\x86-Microsoft-Windowsdata\WUDFCompanionHoste.exeC:\Users\Public\Documents\x86-Microsoft-Windowsdata\WUDFCompanionHoste.exe
StartMenuExperienceHostker.exe
User:
admin
Company:
杭州顺网科技股份有限公司
Integrity Level:
HIGH
Description:
APlus Module
Version:
2020,03,11,1
Modules
Images
c:\users\public\documents\x86-microsoft-windowsdata\wudfcompanionhoste.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1192"C:\Users\Public\Documents\RunCode.exe"C:\Users\Public\Documents\RunCode.exe
TauriInstaller.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\public\documents\runcode.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1404powershell -Command \"$regPath = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.WindowsData'; $acl = (Get-Item -Path $regPath).GetAccessControl(); $acl.SetAccessRuleProtection($true); $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_); }; $sidSystem = New-Object System.Security.Principal.Security.Identity('S-1-5-18'); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidSystem,'FullControl','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidAdmins,'ReadKey','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidEveryone,'Delete','Deny'))); (Get-Item -Path $regPath).SetAccessControl($acl); Disable-ScheduledTask -TaskName 'WindowsPowerShell.WbemScripting.WindowsData'; Write-Host 'X' -ForegroundColor Green;\"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1776"cmd" /c tasklist /FI "IMAGENAME eq 360tray.exe" /NHC:\Windows\SysWOW64\cmd.exeTauriInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1864icacls "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.WindowsData" /grant Administrators:F C:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2160\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2160\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2216"powershell.exe" -Command "Expand-Archive -Path 'C:\Users\Public\Documents\bmrjTOYYbMIJsBS.zip' -DestinationPath 'C:\Users\Public\Documents' -Force"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
TauriInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3140tasklist /FI "IMAGENAME eq MsMpEng.exe" /NHC:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
16 745
Read events
16 715
Write events
30
Delete events
0

Modification events

(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\223ad291bcb76fa7750a4590a3dc31d7b2f14d96de97bbaab466f4eb4bd007a1.zip
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3340) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(5616) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@C:\WINDOWS\System32\wshext.dll,-4802
Value:
VBScript Script File
Executable files
18
Suspicious files
10
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
7616RunSetup.tmpC:\Users\Public\Documents\is-8G6D52MMNB.tmp
MD5:
SHA256:
7616RunSetup.tmpC:\Users\Public\Documents\1.dat
MD5:
SHA256:
2216powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n34duxfk.chk.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Users\admin\AppData\Local\Temp\nsq5810.tmp\nsis_tauri_utils.dllexecutable
MD5:C5BD51B72A0DE24A183585DA36A160C7
SHA256:5EF1F010F9A8BE4FFE0913616F6C54ACF403EE0B83D994821AE4B6716EC1D266
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Users\admin\AppData\Local\Temp\nsq580F.tmp
MD5:
SHA256:
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Users\admin\AppData\Local\Temp\nsq5810.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Program Files (x86)\TauriInstaller\TauriInstaller.exeexecutable
MD5:B75990C782F3141E67711CEC77DFFA48
SHA256:B90A026C8EE5E3D05C44CA1D5E6E89A0116CD65C3DE4CDB7B5CAB4B6CDFA5956
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Program Files (x86)\TauriInstaller\_up_\assets\RunSetup.binexecutable
MD5:F58D20087923AC172B7AAEBE453119CA
SHA256:6D21E6EB9C845454AEEE206FC76082A7B20EFD7AEDC0BB0D8F033AA85B6FF052
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Program Files (x86)\TauriInstaller\_up_\assets\PI_001.datbinary
MD5:DE3D83675342ECCBEDE0018D07F5C1D5
SHA256:46F04E4AA86AB2DD82CD23615C9E3066497F872E29CDD8688814A3E46125D8E4
3692ШАБЛОН_Лицензионный_договор_ПОИНТЕР_docx.exeC:\Program Files (x86)\TauriInstaller\_up_\assets\bmrjTOYYbMIJsBS.zipcompressed
MD5:68389976AB87BD078030288C1D6FAEBF
SHA256:84BD9BDB6BFDDD9DC071244ED687363472E5492B65DED2A11D95B2456AF64991
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
47
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7984
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7984
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3340
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
3340
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
5316
svchost.exe
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
5316
svchost.exe
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
5316
svchost.exe
POST
400
20.190.160.20:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
5116
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
POST
400
40.126.31.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6116
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
92.123.104.13:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
7984
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7984
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7984
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 92.123.104.13
  • 92.123.104.9
  • 92.123.104.65
  • 92.123.104.62
  • 92.123.104.67
  • 92.123.104.63
  • 92.123.104.5
  • 92.123.104.6
  • 92.123.104.66
whitelisted
google.com
  • 142.251.20.100
  • 142.251.20.102
  • 142.251.20.113
  • 142.251.20.139
  • 142.251.20.101
  • 142.251.20.138
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 2.18.69.217
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.67
  • 20.190.160.132
  • 20.190.160.14
  • 20.190.160.17
  • 40.126.32.68
  • 20.190.160.3
  • 40.126.32.72
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 74.179.77.164
whitelisted

Threats

PID
Process
Class
Message
1132
WUDFCompanionHoste.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
223ad291bcb76fa7750a4590a3dc31d7b2f14d96de97bbaab466f4eb4bd007a1.zip