URL:

https://www.skyvpn.net/vpn-for-windows

Full analysis: https://app.any.run/tasks/f8237841-76b8-4d1c-aab5-5b455f360513
Verdict: Malicious activity
Analysis date: May 09, 2025, 21:27:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
ssh
Indicators:
MD5:

65AA4E7457DCEBA78FE5F88DC5F62893

SHA1:

3DDA933F33AAC1236955EBEC4C87989E4C2FCC3C

SHA256:

2272106D4EE07C4AF6440EBEA904E7EAA4258AB609EB1F46F66C21896519FED2

SSDEEP:

3:N8DSL9WIDJdKSW:2OL9PddKSW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • CertMgr.Exe (PID: 7564)
      • CertMgr.Exe (PID: 7860)

    • Changes the autorun value in the registry

      • SkyVPNSetup-official.tmp (PID: 3268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SkyVPNSetup-official.exe (PID: 7952)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • tap-windows-9.21.2.exe (PID: 7888)
      • drvinst.exe (PID: 4120)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 7364)

    • Reads the Windows owner or organization settings

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Process drops legitimate windows executable

      • SkyVPNSetup-official.tmp (PID: 3268)

    • The process drops C-runtime libraries

      • SkyVPNSetup-official.tmp (PID: 3268)

    • There is functionality for taking screenshot (YARA)

      • SkyVPNSetup-official.tmp (PID: 3268)
      • skyvpn.exe (PID: 7500)

    • Drops a system driver (possible attempt to evade defenses)

      • tap-windows-9.21.2.exe (PID: 7888)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)

    • Adds/modifies Windows certificates

      • CertMgr.Exe (PID: 7564)
      • CertMgr.Exe (PID: 7860)
      • tapinstall.exe (PID: 7712)

    • The process creates files with name similar to system file names

      • tap-windows-9.21.2.exe (PID: 7888)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • tap-windows-9.21.2.exe (PID: 7888)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 7364)

    • Reads security settings of Internet Explorer

      • tapinstall.exe (PID: 7712)
      • skyvpn.exe (PID: 7500)

    • Creates a software uninstall entry

      • tap-windows-9.21.2.exe (PID: 7888)

    • Searches for installed software

      • SkyVPNSetup-official.tmp (PID: 3268)
      • skyvpn.exe (PID: 7500)

    • Executes application which crashes

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Process uses IPCONFIG to clear DNS cache

      • skyvpn.exe (PID: 7500)

    • Detected use of alternative data streams (AltDS)

      • skyvpn.exe (PID: 7500)

    • Connects to unusual port

      • skyvpn.exe (PID: 7500)

    • Suspicious use of NETSH.EXE

      • skyvpn.exe (PID: 7500)

    • Potential Corporate Privacy Violation

      • skyvpn.exe (PID: 7500)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 7020)
      • firefox.exe (PID: 1272)

    • Checks supported languages

      • SkyVPNSetup-official.tmp (PID: 3268)
      • SkyVPNSetup-official.exe (PID: 7952)
      • CertMgr.Exe (PID: 7564)
      • tap-windows-9.21.2.exe (PID: 7888)
      • CertMgr.Exe (PID: 7860)
      • tapinstall.exe (PID: 7528)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)
      • skyvpn.exe (PID: 7500)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 1272)

    • Reads the computer name

      • SkyVPNSetup-official.tmp (PID: 3268)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)
      • skyvpn.exe (PID: 7500)

    • Create files in a temporary directory

      • SkyVPNSetup-official.exe (PID: 7952)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • tap-windows-9.21.2.exe (PID: 7888)
      • tapinstall.exe (PID: 7712)

    • The sample compiled with russian language support

      • SkyVPNSetup-official.tmp (PID: 3268)

    • The sample compiled with english language support

      • SkyVPNSetup-official.tmp (PID: 3268)
      • tap-windows-9.21.2.exe (PID: 7888)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)

    • Reads the machine GUID from the registry

      • SkyVPNSetup-official.tmp (PID: 3268)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • skyvpn.exe (PID: 7500)

    • Creates files in the program directory

      • SkyVPNSetup-official.tmp (PID: 3268)
      • tap-windows-9.21.2.exe (PID: 7888)

    • Detects InnoSetup installer (YARA)

      • SkyVPNSetup-official.exe (PID: 7952)
      • SkyVPNSetup-official.tmp (PID: 3268)

    • Compiled with Borland Delphi (YARA)

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Creates a software uninstall entry

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Reads the software policy settings

      • drvinst.exe (PID: 4120)
      • tapinstall.exe (PID: 7712)

    • Process checks computer location settings

      • skyvpn.exe (PID: 7500)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 8092)
      • WerFault.exe (PID: 7536)
      • skyvpn.exe (PID: 7500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
61
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs skyvpnsetup-official.exe no specs skyvpnsetup-official.exe skyvpnsetup-official.tmp certmgr.exe no specs conhost.exe no specs certmgr.exe no specs conhost.exe no specs tap-windows-9.21.2.exe tapinstall.exe no specs conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe drvinst.exe skyvpn.exe werfault.exe no specs werfault.exe no specs ipconfig.exe no specs conhost.exe no specs netsh.exe conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs slui.exe no specs netsh.exe conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs slui.exe slui.exe no specs netsh.exe conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs slui.exe no specs openwith.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Windows\System32\ipconfig.exe" /flushdnsC:\Windows\SysWOW64\ipconfig.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1056"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1180"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5288 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1316 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6689df5-eece-47ca-b2b4-55d54dcda05c} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 1a344258150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
1272"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.skyvpn.net/vpn-for-windowsC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2192"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2284"C:\Windows\System32\ipconfig.exe" /flushdnsC:\Windows\SysWOW64\ipconfig.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeipconfig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2852netsh interface ip set subinterface "24" mtu=1180C:\Windows\SysWOW64\netsh.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2984"C:\Windows\System32\ipconfig.exe" /flushdnsC:\Windows\SysWOW64\ipconfig.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3268"C:\Users\admin\AppData\Local\Temp\is-DDUGC.tmp\SkyVPNSetup-official.tmp" /SL5="$9014C,10236730,67072,C:\Users\admin\Downloads\SkyVPNSetup-official.exe" C:\Users\admin\AppData\Local\Temp\is-DDUGC.tmp\SkyVPNSetup-official.tmp
SkyVPNSetup-official.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
3221226525
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ddugc.tmp\skyvpnsetup-official.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
36 026
Read events
35 912
Write events
100
Delete events
14

Modification events

(PID) Process:(1272) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1272) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.1.ee2 (a)
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\SkyVPN
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\SkyVPN\
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
desktopicon
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Language
Value:
english
Executable files
84
Suspicious files
200
Text files
773
Unknown types
0

Dropped files

PID
Process
Filename
Type
1272firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.binbinary
MD5:A8E7F6E679566AAB755ECF3C8F7AA4BB
SHA256:0D5A675F0F0B1A87F5D11DA0A578C273A3B8A71641CB96D14EDA72D6471226A9
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.dbbinary
MD5:191B914067B92F1B8883A54C52092DA6
SHA256:29A82DECBB1CC0527F0C9A51595196EAE05CB2BE9C75B7629180ECC870DE6A62
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:234AC89B44A7925A7A7F7E2A2650E254
SHA256:0AE83A76ECE1CFD44F16DBB57AFD223C5D57F32479DE12DE5C02CF85AB892DF8
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:A577E15550A43B0902AB4B0FB552597E
SHA256:B76517E9B248C5801CE955C176E528C99179F5DD4EFCF581EFDEE54A5B52A42D
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
203
DNS requests
139
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
POST
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/
unknown
whitelisted
POST
2.16.241.8:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
142.250.185.67:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
POST
200
2.16.241.15:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
2.16.241.8:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
2.16.241.15:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
3.167.227.121:443
www.skyvpn.net
US
whitelisted
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
142.250.185.170:443
safebrowsing.googleapis.com
whitelisted
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.skyvpn.net
  • 3.167.227.121
  • 3.167.227.22
  • 3.167.227.26
  • 3.167.227.58
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
d3oredzx8ky5lh.cloudfront.net
  • 3.167.227.121
  • 3.167.227.22
  • 3.167.227.26
  • 3.167.227.58
  • 2600:9000:27e6:1c00:19:39b5:3540:93a1
  • 2600:9000:27e6:4200:19:39b5:3540:93a1
  • 2600:9000:27e6:fa00:19:39b5:3540:93a1
  • 2600:9000:27e6:3e00:19:39b5:3540:93a1
  • 2600:9000:27e6:9a00:19:39b5:3540:93a1
  • 2600:9000:27e6:5600:19:39b5:3540:93a1
  • 2600:9000:27e6:de00:19:39b5:3540:93a1
  • 2600:9000:27e6:8200:19:39b5:3540:93a1
whitelisted
example.org
  • 23.215.0.132
  • 96.7.128.186
  • 96.7.128.192
  • 23.215.0.133
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted

Threats

PID
Process
Class
Message
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.skyvpn.net/vpn-for-windows