URL:

https://www.skyvpn.net/vpn-for-windows

Full analysis: https://app.any.run/tasks/f8237841-76b8-4d1c-aab5-5b455f360513
Verdict: Malicious activity
Analysis date: May 09, 2025, 21:27:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
ssh
Indicators:
MD5:

65AA4E7457DCEBA78FE5F88DC5F62893

SHA1:

3DDA933F33AAC1236955EBEC4C87989E4C2FCC3C

SHA256:

2272106D4EE07C4AF6440EBEA904E7EAA4258AB609EB1F46F66C21896519FED2

SSDEEP:

3:N8DSL9WIDJdKSW:2OL9PddKSW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • CertMgr.Exe (PID: 7564)
      • CertMgr.Exe (PID: 7860)

    • Changes the autorun value in the registry

      • SkyVPNSetup-official.tmp (PID: 3268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SkyVPNSetup-official.exe (PID: 7952)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • drvinst.exe (PID: 4120)
      • tapinstall.exe (PID: 7712)
      • tap-windows-9.21.2.exe (PID: 7888)
      • drvinst.exe (PID: 7364)

    • Reads the Windows owner or organization settings

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Process drops legitimate windows executable

      • SkyVPNSetup-official.tmp (PID: 3268)

    • The process drops C-runtime libraries

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Drops a system driver (possible attempt to evade defenses)

      • SkyVPNSetup-official.tmp (PID: 3268)
      • tap-windows-9.21.2.exe (PID: 7888)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)

    • Adds/modifies Windows certificates

      • CertMgr.Exe (PID: 7860)
      • tapinstall.exe (PID: 7712)
      • CertMgr.Exe (PID: 7564)

    • The process creates files with name similar to system file names

      • tap-windows-9.21.2.exe (PID: 7888)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • tap-windows-9.21.2.exe (PID: 7888)

    • Reads security settings of Internet Explorer

      • tapinstall.exe (PID: 7712)
      • skyvpn.exe (PID: 7500)

    • There is functionality for taking screenshot (YARA)

      • SkyVPNSetup-official.tmp (PID: 3268)
      • skyvpn.exe (PID: 7500)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)

    • Creates a software uninstall entry

      • tap-windows-9.21.2.exe (PID: 7888)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 7364)

    • Searches for installed software

      • SkyVPNSetup-official.tmp (PID: 3268)
      • skyvpn.exe (PID: 7500)

    • Suspicious use of NETSH.EXE

      • skyvpn.exe (PID: 7500)

    • Executes application which crashes

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Detected use of alternative data streams (AltDS)

      • skyvpn.exe (PID: 7500)

    • Potential Corporate Privacy Violation

      • skyvpn.exe (PID: 7500)

    • Connects to unusual port

      • skyvpn.exe (PID: 7500)

    • Process uses IPCONFIG to clear DNS cache

      • skyvpn.exe (PID: 7500)

  • INFO

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 1272)

    • Application launched itself

      • firefox.exe (PID: 1272)
      • firefox.exe (PID: 7020)

    • Checks supported languages

      • SkyVPNSetup-official.exe (PID: 7952)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • CertMgr.Exe (PID: 7860)
      • tap-windows-9.21.2.exe (PID: 7888)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • CertMgr.Exe (PID: 7564)
      • drvinst.exe (PID: 7364)
      • tapinstall.exe (PID: 7528)
      • skyvpn.exe (PID: 7500)

    • Create files in a temporary directory

      • SkyVPNSetup-official.exe (PID: 7952)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • tap-windows-9.21.2.exe (PID: 7888)
      • tapinstall.exe (PID: 7712)

    • The sample compiled with russian language support

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Reads the computer name

      • SkyVPNSetup-official.tmp (PID: 3268)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)
      • skyvpn.exe (PID: 7500)

    • Detects InnoSetup installer (YARA)

      • SkyVPNSetup-official.tmp (PID: 3268)
      • SkyVPNSetup-official.exe (PID: 7952)

    • Reads the machine GUID from the registry

      • SkyVPNSetup-official.tmp (PID: 3268)
      • drvinst.exe (PID: 4120)
      • tapinstall.exe (PID: 7712)
      • skyvpn.exe (PID: 7500)

    • Compiled with Borland Delphi (YARA)

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Creates a software uninstall entry

      • SkyVPNSetup-official.tmp (PID: 3268)

    • Creates files in the program directory

      • tap-windows-9.21.2.exe (PID: 7888)
      • SkyVPNSetup-official.tmp (PID: 3268)

    • The sample compiled with english language support

      • tap-windows-9.21.2.exe (PID: 7888)
      • SkyVPNSetup-official.tmp (PID: 3268)
      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)
      • drvinst.exe (PID: 7364)

    • Reads the software policy settings

      • tapinstall.exe (PID: 7712)
      • drvinst.exe (PID: 4120)

    • Process checks computer location settings

      • skyvpn.exe (PID: 7500)

    • Creates files or folders in the user directory

      • skyvpn.exe (PID: 7500)
      • WerFault.exe (PID: 8092)
      • WerFault.exe (PID: 7536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
61
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs skyvpnsetup-official.exe no specs skyvpnsetup-official.exe skyvpnsetup-official.tmp certmgr.exe no specs conhost.exe no specs certmgr.exe no specs conhost.exe no specs tap-windows-9.21.2.exe tapinstall.exe no specs conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe drvinst.exe skyvpn.exe werfault.exe no specs werfault.exe no specs ipconfig.exe no specs conhost.exe no specs netsh.exe conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs slui.exe no specs netsh.exe conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs slui.exe slui.exe no specs netsh.exe conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs slui.exe no specs openwith.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Windows\System32\ipconfig.exe" /flushdnsC:\Windows\SysWOW64\ipconfig.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1056"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1180"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5288 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1316 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6689df5-eece-47ca-b2b4-55d54dcda05c} 1272 "\\.\pipe\gecko-crash-server-pipe.1272" 1a344258150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
1272"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.skyvpn.net/vpn-for-windowsC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2192"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2284"C:\Windows\System32\ipconfig.exe" /flushdnsC:\Windows\SysWOW64\ipconfig.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeipconfig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2852netsh interface ip set subinterface "24" mtu=1180C:\Windows\SysWOW64\netsh.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2984"C:\Windows\System32\ipconfig.exe" /flushdnsC:\Windows\SysWOW64\ipconfig.exeskyvpn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3268"C:\Users\admin\AppData\Local\Temp\is-DDUGC.tmp\SkyVPNSetup-official.tmp" /SL5="$9014C,10236730,67072,C:\Users\admin\Downloads\SkyVPNSetup-official.exe" C:\Users\admin\AppData\Local\Temp\is-DDUGC.tmp\SkyVPNSetup-official.tmp
SkyVPNSetup-official.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
3221226525
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ddugc.tmp\skyvpnsetup-official.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
36 026
Read events
35 912
Write events
100
Delete events
14

Modification events

(PID) Process:(1272) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1272) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.1.ee2 (a)
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\SkyVPN
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\SkyVPN\
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
desktopicon
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
(PID) Process:(3268) SkyVPNSetup-official.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{822796AC-24D2-4DE2-939B-CE3531305189}_is1
Operation:writeName:Inno Setup: Language
Value:
english
Executable files
84
Suspicious files
200
Text files
773
Unknown types
0

Dropped files

PID
Process
Filename
Type
1272firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:234AC89B44A7925A7A7F7E2A2650E254
SHA256:0AE83A76ECE1CFD44F16DBB57AFD223C5D57F32479DE12DE5C02CF85AB892DF8
1272firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpbinary
MD5:EF90022DF0735160DD056C0E6670E915
SHA256:2B663C0B462A437C8DE3D9B95EE157AE181249B78BDD6F7BD73F7EB6D9E03F87
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1272firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.dbbinary
MD5:191B914067B92F1B8883A54C52092DA6
SHA256:29A82DECBB1CC0527F0C9A51595196EAE05CB2BE9C75B7629180ECC870DE6A62
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
203
DNS requests
139
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
2.16.241.8:80
http://r11.o.lencr.org/
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
POST
200
142.250.185.67:80
http://o.pki.goog/we2
unknown
whitelisted
POST
200
142.250.185.67:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
POST
200
142.250.185.67:80
http://o.pki.goog/s/wr3/3H4
unknown
whitelisted
POST
200
142.250.185.67:80
http://o.pki.goog/we2
unknown
whitelisted
POST
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/
unknown
whitelisted
POST
2.16.241.8:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
3.167.227.121:443
www.skyvpn.net
US
whitelisted
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
142.250.185.170:443
safebrowsing.googleapis.com
whitelisted
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.skyvpn.net
  • 3.167.227.121
  • 3.167.227.22
  • 3.167.227.26
  • 3.167.227.58
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
d3oredzx8ky5lh.cloudfront.net
  • 3.167.227.121
  • 3.167.227.22
  • 3.167.227.26
  • 3.167.227.58
  • 2600:9000:27e6:1c00:19:39b5:3540:93a1
  • 2600:9000:27e6:4200:19:39b5:3540:93a1
  • 2600:9000:27e6:fa00:19:39b5:3540:93a1
  • 2600:9000:27e6:3e00:19:39b5:3540:93a1
  • 2600:9000:27e6:9a00:19:39b5:3540:93a1
  • 2600:9000:27e6:5600:19:39b5:3540:93a1
  • 2600:9000:27e6:de00:19:39b5:3540:93a1
  • 2600:9000:27e6:8200:19:39b5:3540:93a1
whitelisted
example.org
  • 23.215.0.132
  • 96.7.128.186
  • 96.7.128.192
  • 23.215.0.133
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted

Threats

PID
Process
Class
Message
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Generic Protocol Command Decode
SURICATA HTTP gzip decompression failed
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected on a non-standard port number
7500
skyvpn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] A SSH banner has been detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.skyvpn.net/vpn-for-windows