File name:

3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2

Full analysis: https://app.any.run/tasks/1c0e8cf9-fb72-4636-9e34-1ea40f1079b6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 13:42:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
ultravnc
rmm-tool
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

940F585195FCFDE2CCD29BD8736FDF5D

SHA1:

5A72142D35962575F437D58179EE453676F9D1C3

SHA256:

3869B0729D8F6C9D43C5CED36C569E723A782F7F949DA55E00F01454DC823EA2

SSDEEP:

49152:4zCKm9RuYRKvnZlYrv0sfbpsHmdT6LjGcVtG94SA7MBWJRpcWJDTmWT/IlUDN:msrv3AvdDTFbIGDN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Changes Windows Defender settings

      • svchost.exe (PID: 2320)

    • Adds path to the Windows Defender exclusion list

      • svchost.exe (PID: 2320)

    • Steals credentials from Web Browsers

      • InstallUtil.exe (PID: 4336)

    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 4336)

  • SUSPICIOUS

    • Reads the BIOS version

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)
      • svchost.exe (PID: 2320)

    • Read disk information to detect sandboxing environments

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)
      • svchost.exe (PID: 2320)

    • The process checks if it is being run in the virtual environment

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)
      • svchost.exe (PID: 2320)

    • The process creates files with name similar to system file names

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Executing commands from a ".bat" file

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Starts CMD.EXE for commands execution

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Executable content was dropped or overwritten

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5544)

    • The executable file from the user directory is run by the CMD process

      • svchost.exe (PID: 2320)

    • Script adds exclusion path to Windows Defender

      • svchost.exe (PID: 2320)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 2320)

    • Starts POWERSHELL.EXE for commands execution

      • svchost.exe (PID: 2320)

    • Checks for external IP

      • InstallUtil.exe (PID: 4336)

    • Connects to SMTP port

      • InstallUtil.exe (PID: 4336)

  • INFO

    • Reads the computer name

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)
      • svchost.exe (PID: 2320)
      • InstallUtil.exe (PID: 4336)

    • Reads the machine GUID from the registry

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)
      • svchost.exe (PID: 2320)
      • InstallUtil.exe (PID: 4336)

    • Creates files or folders in the user directory

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Checks supported languages

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)
      • svchost.exe (PID: 2320)
      • InstallUtil.exe (PID: 4336)

    • Create files in a temporary directory

      • 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe (PID: 1676)

    • Process checks computer location settings

      • svchost.exe (PID: 2320)

    • Disables trace logs

      • InstallUtil.exe (PID: 4336)

    • Reads the software policy settings

      • InstallUtil.exe (PID: 4336)

    • Checks proxy server information

      • InstallUtil.exe (PID: 4336)

    • ULTRAVNC has been detected

      • InstallUtil.exe (PID: 4336)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2384)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2088:12:23 14:19:56+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 2276004
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x22da9e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.58.373.25
ProductVersionNumber: 2.58.373.25
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: iMake
FileDescription: IEOyuhEjU UmIEOHoxAre ADAhU iYifISAEiH oouIisoXo AWUoA.
FileVersion: 2.58.373.25
InternalName: ouuNOkesu
LegalCopyright: © 2023 iMake.
OriginalFileName: uhAlIZOZeGe
ProductName: EAEsOyoKe
ProductVersion: 2.58.373.25
Comments: AsaZujoT uduNOxUt ozAaizUT IWOuizUy opaBEmuZIQI aWioUUOh AHiwUji uUOhUXIj aoecEjozIaU.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
12
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs svchost.exe no specs powershell.exe no specs conhost.exe no specs caspol.exe no specs addinprocess32.exe no specs installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
1052"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1188timeout 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1676"C:\Users\admin\AppData\Local\Temp\3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe" C:\Users\admin\AppData\Local\Temp\3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe
explorer.exe
User:
admin
Company:
iMake
Integrity Level:
MEDIUM
Description:
IEOyuhEjU UmIEOHoxAre ADAhU iYifISAEiH oouIisoXo AWUoA.
Exit code:
0
Version:
2.58.373.25
Modules
Images
c:\users\admin\appdata\local\temp\3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2320"C:\Users\admin\AppData\Roaming\svchost.exe" C:\Users\admin\AppData\Roaming\svchost.execmd.exe
User:
admin
Company:
iMake
Integrity Level:
MEDIUM
Description:
IEOyuhEjU UmIEOHoxAre ADAhU iYifISAEiH oouIisoXo AWUoA.
Exit code:
0
Version:
2.58.373.25
Modules
Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2384"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\svchost.exe" -ForceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4336"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5544C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmpC40D.tmp.bat""C:\Windows\SysWOW64\cmd.exe3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5588"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 225
Read events
10 209
Write events
16
Delete events
0

Modification events

(PID) Process:(1676) 3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost
Value:
"C:\Users\admin\AppData\Roaming\svchost.exe"
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
Operation:writeName:Enabled
Value:
0
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4336) InstallUtil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
1
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
16763869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exeC:\Users\admin\AppData\Local\Temp\tmpC40D.tmp.battext
MD5:75A9256221ED4AC7CED9FC6EA029CCE7
SHA256:9DD6A535925FFE15D4D9A005094635C6B195230441E282100ED75D2F910B2D0D
2384powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:C7E77364269724E66D86AE3F75C126A6
SHA256:17A4EC7EFFB9EA31880A5C14F86DB9DEEE3518AC4F054AF6308EE6E9AF834152
2384powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_43bzaqx4.10d.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2384powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ujjjb3b3.avn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2384powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fmdukege.vi4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2384powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ku2q1je.okw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
16763869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:940F585195FCFDE2CCD29BD8736FDF5D
SHA256:3869B0729D8F6C9D43C5CED36C569E723A782F7F949DA55E00F01454DC823EA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
15
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6372
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6372
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4336
InstallUtil.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.66
  • 20.190.160.4
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
mail.cpbgdigital.com
  • 200.69.22.8
malicious
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4336
InstallUtil.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
4336
InstallUtil.exe
Generic Protocol Command Decode
SURICATA SMTP invalid reply
4336
InstallUtil.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3869b0729d8f6c9d43c5ced36c569e723a782f7f949da55e00f01454dc823ea2