File name:

kalmuri-3.1.1.1-installer_i-Df1b1.exe

Full analysis: https://app.any.run/tasks/06f6370f-b076-4570-b9e0-88a95ac8c62b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 20, 2024, 10:04:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
stealer
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

574681A698EFD3F8A87DE56C746607CF

SHA1:

BA14F725AA3BFACE6F87D0D26F27C96383AC1ECF

SHA256:

473C7F55AAA0D9A5F900E4F2B98A1664B539ED9E664279236E8694AC4A044BED

SSDEEP:

98304:sluPGk0korIY+LrM98bQjFFFQa+o6Ig2+ce/Unba+O+CB3jD9hla:fq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • servicehost.exe (PID: 540)
      • uihost.exe (PID: 6952)

  • SUSPICIOUS

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 7000)
      • installer.exe (PID: 372)
      • installer.exe (PID: 4224)
      • uihost.exe (PID: 6952)
      • servicehost.exe (PID: 540)
      • cmd.exe (PID: 6544)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 4520)
      • updater.exe (PID: 3220)

    • Reads security settings of Internet Explorer

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • saBSI.exe (PID: 7000)
      • installer.exe (PID: 4224)
      • uihost.exe (PID: 6952)

    • Executable content was dropped or overwritten

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • saBSI.exe (PID: 7000)
      • installer.exe (PID: 372)
      • installer.exe (PID: 4224)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 7000)
      • servicehost.exe (PID: 540)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 7000)
      • installer.exe (PID: 4224)
      • servicehost.exe (PID: 540)
      • uihost.exe (PID: 6952)
      • updater.exe (PID: 3220)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 4224)

    • Creates file in the systems drive root

      • explorer.exe (PID: 6392)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 4224)
      • servicehost.exe (PID: 540)

    • Process drops legitimate windows executable

      • installer.exe (PID: 4224)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 540)
      • uihost.exe (PID: 6952)

    • Creates a software uninstall entry

      • installer.exe (PID: 4224)
      • servicehost.exe (PID: 540)

    • Executes as Windows Service

      • servicehost.exe (PID: 540)

    • Hides command output

      • cmd.exe (PID: 6544)

    • Starts CMD.EXE for commands execution

      • servicehost.exe (PID: 540)
      • updater.exe (PID: 3220)

    • SMB connection has been detected (probably for file transfer)

      • explorer.exe (PID: 6392)

    • Searches for installed software

      • updater.exe (PID: 3220)

  • INFO

    • Reads the machine GUID from the registry

      • saBSI.exe (PID: 7000)
      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • installer.exe (PID: 4224)
      • servicehost.exe (PID: 540)
      • uihost.exe (PID: 6952)
      • updater.exe (PID: 3220)

    • Create files in a temporary directory

      • saBSI.exe (PID: 7000)
      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • installer.exe (PID: 4224)

    • Creates files in the program directory

      • saBSI.exe (PID: 7000)
      • installer.exe (PID: 372)
      • servicehost.exe (PID: 540)
      • installer.exe (PID: 4224)
      • uihost.exe (PID: 6952)

    • Checks supported languages

      • saBSI.exe (PID: 7000)
      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • installer.exe (PID: 372)
      • installer.exe (PID: 4224)
      • servicehost.exe (PID: 540)
      • updater.exe (PID: 3220)
      • uihost.exe (PID: 6952)

    • The sample compiled with english language support

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • saBSI.exe (PID: 7000)
      • installer.exe (PID: 372)
      • installer.exe (PID: 4224)

    • Sends debugging messages

      • saBSI.exe (PID: 7000)
      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • installer.exe (PID: 4224)

    • Reads the computer name

      • saBSI.exe (PID: 7000)
      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • installer.exe (PID: 4224)
      • uihost.exe (PID: 6952)
      • servicehost.exe (PID: 540)
      • updater.exe (PID: 3220)

    • Checks proxy server information

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • saBSI.exe (PID: 7000)

    • Reads the software policy settings

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • saBSI.exe (PID: 7000)
      • servicehost.exe (PID: 540)
      • uihost.exe (PID: 6952)
      • installer.exe (PID: 4224)

    • The process uses the downloaded file

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • explorer.exe (PID: 6392)

    • Process checks computer location settings

      • kalmuri-3.1.1.1-installer_i-Df1b1.exe (PID: 6520)
      • uihost.exe (PID: 6952)
      • servicehost.exe (PID: 540)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.1)
.exe | Win32 Executable (generic) (2.8)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:13 14:09:01+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2168320
InitializedDataSize: 2359296
UninitializedDataSize: -
EntryPoint: 0x1c6a95
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.13.45774
ProductVersionNumber: 3.0.13.45774
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Softonic
FileDescription: Softonic
FileVersion: 3.0.13.111310
LegalCopyright: (c) Softonic
ProductName: Softonic
ProductVersion: 3.0.13.111310
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
17
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start kalmuri-3.1.1.1-installer_i-df1b1.exe sabsi.exe installer.exe installer.exe explorer.exe no specs explorer.exe no specs rundll32.exe no specs servicehost.exe uihost.exe updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs kalmuri-3.1.1.1-installer_i-df1b1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\Users\admin\AppData\Local\Temp\ISV5EFC.tmp\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade C:\Users\admin\AppData\Local\Temp\ISV5EFC.tmp\saBSI\installer.exe
saBSI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\isv5efc.tmp\sabsi\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
540"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"C:\Program Files\McAfee\WebAdvisor\servicehost.exe
services.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor(service)
Version:
4,1,1,995
Modules
Images
c:\program files\mcafee\webadvisor\servicehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3208C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3220"C:\Program Files\McAfee\WebAdvisor\updater.exe" C:\Program Files\McAfee\WebAdvisor\updater.exe
servicehost.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor(updater)
Exit code:
0
Version:
4,1,1,995
Modules
Images
c:\program files\mcafee\webadvisor\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3772\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4224"C:\Program Files\McAfee\Temp2560867405\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade C:\Program Files\McAfee\Temp2560867405\installer.exe
installer.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee WebAdvisor(installer)
Exit code:
0
Version:
4,1,1,995
Modules
Images
c:\program files\mcafee\temp2560867405\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ucrtbase.dll
4392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4520C:\WINDOWS\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp" C:\Windows\System32\cmd.exeupdater.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5696\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5728C:\WINDOWS\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )C:\Windows\System32\cmd.exeupdater.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
36 450
Read events
36 194
Write events
245
Delete events
11

Modification events

(PID) Process:(6520) kalmuri-3.1.1.1-installer_i-Df1b1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E8070C00050014000A0005000E00C401010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(6520) kalmuri-3.1.1.1-installer_i-Df1b1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000052E7DEA9C652DB01
(PID) Process:(6520) kalmuri-3.1.1.1-installer_i-Df1b1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E8070C00050014000A0005000E00B401010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallationStatus
Value:
PENDING
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor\Settings
Operation:writeName:*Affid
Value:
SYSTEM,STR,91082
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:UUID
Value:
{A893CCFF-14D0-46A4-8833-DCEE3E4861BE}
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallerFlags
Value:
1
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallationID
Value:
UNDEFINED
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:CountryCode
Value:
DE
(PID) Process:(7000) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:NEW_USER_STATE
Value:
EXPIRED
Executable files
19
Suspicious files
203
Text files
812
Unknown types
7

Dropped files

PID
Process
Filename
Type
372installer.exeC:\Program Files\McAfee\Temp2560867405\browserplugin.cab
MD5:
SHA256:
6520kalmuri-3.1.1.1-installer_i-Df1b1.exeC:\Users\admin\Downloads\kalmuri-3.1.1.1-installer.execompressed
MD5:BEB3B76F7F6F3F22FA7A4EFD070DFE48
SHA256:52C39DB42F58639C8DDC6B3594A53997E1B696B5895FA7144EB4270D2B802488
6520kalmuri-3.1.1.1-installer_i-Df1b1.exeC:\Users\admin\AppData\Local\Temp\ISV5EFC.tmp\saBSI\saBSI.exeexecutable
MD5:143255618462A577DE27286A272584E1
SHA256:F5AA950381FBCEA7D730AA794974CA9E3310384A95D6CF4D015FBDBD9797B3E4
7000saBSI.exeC:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00000057003F001D0006.txttext
MD5:A97001B9E3BDF0636851DC9464DFC05E
SHA256:04B62BC5D7B9883152F64B465D2A1D9E0DFEE97F67A788A7D691134F7E362026
6520kalmuri-3.1.1.1-installer_i-Df1b1.exeC:\Users\admin\AppData\Local\Temp\ISV5EFC.tmp\saBSI.zipcompressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
372installer.exeC:\Program Files\McAfee\Temp2560867405\mcafee_pc_install_icon.pngimage
MD5:18344204EC04F1E95E086D3BC94FA0FD
SHA256:30ADF46FD9311E5C6DFEA8A2AB2176EBAF83E7019EE341896FC3AAA5F498D2BA
372installer.exeC:\Program Files\McAfee\Temp2560867405\l10n.cabcompressed
MD5:4C8E546D932FC567FA9A68C82F938E6E
SHA256:BC88EE7B453E250F66B4FBD42BFB76176AE98A30583742302D26477E3D422206
372installer.exeC:\Program Files\McAfee\Temp2560867405\analyticstelemetry.cabcompressed
MD5:A15CF0E1FEA6C857CD90A27073009053
SHA256:63B731A170F3EEC34F4EEDFC1727F9C6343C0AE2F981783873C638F9A8F16EBF
372installer.exeC:\Program Files\McAfee\Temp2560867405\analyticsmanager.cabcompressed
MD5:D879D97ACF98B6EC553731A91D9FCD1C
SHA256:D5D6D579965CB2E231AF81A2BF60A39A1955EC3782F27D9B1B8177F87B202C94
7000saBSI.exeC:\Users\admin\AppData\Local\Temp\ISV5EFC.tmp\saBSI\installer.exeexecutable
MD5:7DD0FAA9C00391333B2A12D21CA028BF
SHA256:E4B5817742A53DCCC24CD2A266223045D03DA537B815CB03B782D4E6BAED5020
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
48
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3584
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3584
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3688
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7044
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7044
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3584
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3584
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.148:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.bing.com
  • 2.23.209.148
  • 2.23.209.176
  • 2.23.209.158
  • 2.23.209.154
  • 2.23.209.149
  • 2.23.209.177
  • 2.23.209.156
  • 2.23.209.160
  • 2.23.209.150
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.71
  • 20.190.159.68
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
d2l9m0bic5w1ty.cloudfront.net
  • 18.173.206.162
  • 18.173.206.110
  • 18.173.206.168
  • 18.173.206.211
whitelisted
images.sftcdn.net
  • 151.101.129.91
  • 151.101.65.91
  • 151.101.1.91
  • 151.101.193.91
whitelisted
gsf-fl.softonic.com
  • 151.101.1.91
  • 151.101.65.91
  • 151.101.129.91
  • 151.101.193.91
whitelisted

Threats

No threats detected
Process
Message
kalmuri-3.1.1.1-installer_i-Df1b1.exe
LoadingPage
kalmuri-3.1.1.1-installer_i-Df1b1.exe
WelcomePage
kalmuri-3.1.1.1-installer_i-Df1b1.exe
ProductPage
kalmuri-3.1.1.1-installer_i-Df1b1.exe
DownloadPageDLM
kalmuri-3.1.1.1-installer_i-Df1b1.exe
FinishPageDLM
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kalmuri-3.1.1.1-installer_i-Df1b1.exe