File name:

sunshine-windows-installer.exe

Full analysis: https://app.any.run/tasks/e5263f92-93b7-4083-8d42-110487cd1ace
Verdict: Malicious activity
Analysis date: October 24, 2024, 19:44:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

8312C5F6B4975BD773854ED2A60AD055

SHA1:

6993DE295C40C9FC81730EEC58E0C32B9F6F159D

SHA256:

5608A618BC19FA3E21E6272D91D6443512DA3C3965BD62E18092B4C7EC07CD29

SSDEEP:

98304:AWLvXpT3zu1KtEMaNTKdSqr6gO/exxPOedDq+94giPwPQpBOml+TRgBEPVB9f/AN:o8ofKgIb7vU7cWFjI752zzCS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 8576)
      • net.exe (PID: 8596)
      • net.exe (PID: 8724)

  • SUSPICIOUS

    • Uses ICACLS.EXE to modify access control lists

      • nsF140.tmp (PID: 5324)
      • cmd.exe (PID: 6200)

    • Executable content was dropped or overwritten

      • sunshine-windows-installer.exe (PID: 6264)
      • virtual_gamepad.exe (PID: 7260)
      • curl.exe (PID: 8136)
      • nefconw.exe (PID: 8328)
      • drvinst.exe (PID: 8392)

    • Starts application with an unusual extension

      • sunshine-windows-installer.exe (PID: 6264)

    • Starts CMD.EXE for commands execution

      • nsF22C.tmp (PID: 1372)
      • nsF3A4.tmp (PID: 3848)
      • nsF887.tmp (PID: 7744)
      • cmd.exe (PID: 7856)
      • ns654C.tmp (PID: 8520)
      • ns7039.tmp (PID: 8992)

    • Executing commands from a ".bat" file

      • nsF22C.tmp (PID: 1372)
      • nsF3A4.tmp (PID: 3848)
      • nsF887.tmp (PID: 7744)
      • ns654C.tmp (PID: 8520)
      • ns7039.tmp (PID: 8992)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6832)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7856)

    • Manipulates environment variables

      • powershell.exe (PID: 7988)

    • Application launched itself

      • cmd.exe (PID: 7856)

    • The executable file from the user directory is run by the CMD process

      • virtual_gamepad.exe (PID: 7260)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7940)

    • Process drops legitimate windows executable

      • virtual_gamepad.exe (PID: 7260)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 3864)
      • virtual_gamepad.exe (PID: 7260)
      • nefconw.exe (PID: 8328)
      • drvinst.exe (PID: 8392)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8084)
      • sunshinesvc.exe (PID: 8764)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 9048)
      • cmd.exe (PID: 8576)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • sunshine-windows-installer.exe (PID: 6264)

  • INFO

    • Checks supported languages

      • sunshine-windows-installer.exe (PID: 6264)

    • Application launched itself

      • msedge.exe (PID: 6832)
      • msedge.exe (PID: 7140)

    • Create files in a temporary directory

      • sunshine-windows-installer.exe (PID: 6264)

    • Reads the computer name

      • sunshine-windows-installer.exe (PID: 6264)

    • Manual execution by a user

      • msedge.exe (PID: 7140)
      • sunshine.exe (PID: 8288)

    • Manages system restore points

      • SrTasks.exe (PID: 5932)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3864)
      • msedge.exe (PID: 8868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:07:14 21:04:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.4
CodeSize: 35328
InitializedDataSize: 72192
UninitializedDataSize: 402432
EntryPoint: 0x4250
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
285
Monitored processes
155
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sunshine-windows-installer.exe msedge.exe no specs nsf140.tmp no specs conhost.exe no specs icacls.exe no specs msedge.exe no specs nsf22c.tmp no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs nsf3a4.tmp no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs msedge.exe no specs netsh.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs netsh.exe no specs msedge.exe no specs nsf887.tmp no specs conhost.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs curl.exe findstr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs curl.exe virtual_gamepad.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs ns654c.tmp no specs conhost.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sunshinesvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ns7039.tmp no specs conhost.exe no specs cmd.exe no specs sc.exe no specs sunshine.exe no specs conhost.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs msedge.exe no specs msedge.exe no specs sunshine.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sunshine-windows-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
692"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2324 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6816 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1112\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exensF3A4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1372"C:\Users\admin\AppData\Local\Temp\nscC02D.tmp\nsF22C.tmp" "C:\Program Files\Sunshine\scripts\migrate-config.bat"C:\Users\admin\AppData\Local\Temp\nscC02D.tmp\nsF22C.tmpsunshine-windows-installer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nscc02d.tmp\nsf22c.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1768"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2420tools\ddprobe.exe 2 ""C:\Program Files\Sunshine\tools\ddprobe.exesunshine.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
2289696772
2684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2808"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6148 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2816"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=812 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
3580tools\ddprobe.exe 4 ""C:\Program Files\Sunshine\tools\ddprobe.exesunshine.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
2289696772
Total events
14 453
Read events
14 384
Write events
60
Delete events
9

Modification events

(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:DisplayName
Value:
Sunshine
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:DisplayVersion
Value:
0.23.1
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:Publisher
Value:
LizardByte
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:UninstallString
Value:
"C:\Program Files\Sunshine\Uninstall.exe"
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:NoRepair
Value:
1
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:NoModify
Value:
1
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Sunshine\Sunshine.exe
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:HelpLink
Value:
https://sunshinestream.readthedocs.io/en/latest/about/installation.html
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:URLInfoAbout
Value:
https://app.lizardbyte.dev/Sunshine
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:Contact
Value:
https://app.lizardbyte.dev/Sunshine/support
Executable files
48
Suspicious files
535
Text files
171
Unknown types
13

Dropped files

PID
Process
Filename
Type
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\apps.jsonbinary
MD5:4DEC1CF39B94CC2A310BEF765E607724
SHA256:6AA14F95E7BA22B05A06ACB24C077DF2B0959DE43C201A686A5EF5A628FD6DE5
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\convert_yuv420_planar_y_ps.hlsltext
MD5:A0189EE10A7066186095AE31703C4F5D
SHA256:38A257893B34D9854A033E353584242820E586DDB2D8245FD43AAE182EF38360
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\convert_yuv420_planar_y_vs.hlsltext
MD5:2204BC27502CD5D11688560386D08BEE
SHA256:E029CDC9B794AC859A787F6E73F357FC62EFE1F6CB161EA59B43B874428E81C0
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\convert_yuv420_packed_uv_type0_ps_linear.hlsltext
MD5:7BA99F704E3D336B7DA19EC698373F18
SHA256:C0A67152C118E59C7B19BB55D180B3DBC7FC5841FC93688D799BD572F62997B8
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\convert_yuv420_planar_y_ps_linear.hlsltext
MD5:CCF41A6C14F7F15F15BE17B06B27AFE9
SHA256:5778FC50BC74B44B752273A24B262ED0F960CCFA5F92C2DBF8A06589F614D43D
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\convert_yuv420_packed_uv_type0_vs.hlsltext
MD5:87394B1FE823D0F44F53DE4C401B515E
SHA256:F41D68FE1CFB57EC0A7FEEA1FA39D546673F19E1A858181D2A5E4852ACD3F260
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\UserInfo.dllexecutable
MD5:8E1998776FFD1D578A80D603C55721FC
SHA256:7616DE346EE28E4314D8A5BF67575C0010B1B07C93C6C29798F9106589BA25AE
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\cursor_ps.hlsltext
MD5:DE9E70303529910E180611CAFEF30A0E
SHA256:3EC1EFCB2157233AE997F16633383A239A8D2399CA170D3FA12A6D5C09662662
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
122
DNS requests
116
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
748
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd
unknown
whitelisted
748
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
7260
virtual_gamepad.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7260
virtual_gamepad.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
748
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEE4o94a2bBo7lCzSxA63QqU%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4360
SearchApp.exe
2.23.209.177:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.44.239.154
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.149
  • 2.23.209.154
  • 2.23.209.156
  • 2.23.209.179
  • 2.23.209.160
  • 2.23.209.141
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.143
  • 2.23.209.183
  • 2.23.209.133
  • 104.126.37.154
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.152
  • 104.126.37.146
  • 104.126.37.145
  • 104.126.37.170
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.133
  • 40.126.32.136
whitelisted
th.bing.com
  • 2.23.209.141
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.143
whitelisted
go.microsoft.com
  • 184.28.89.167
  • 23.218.210.69
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sunshine-windows-installer.exe