File name:

sunshine-windows-installer.exe

Full analysis: https://app.any.run/tasks/e5263f92-93b7-4083-8d42-110487cd1ace
Verdict: Malicious activity
Analysis date: October 24, 2024, 19:44:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

8312C5F6B4975BD773854ED2A60AD055

SHA1:

6993DE295C40C9FC81730EEC58E0C32B9F6F159D

SHA256:

5608A618BC19FA3E21E6272D91D6443512DA3C3965BD62E18092B4C7EC07CD29

SSDEEP:

98304:AWLvXpT3zu1KtEMaNTKdSqr6gO/exxPOedDq+94giPwPQpBOml+TRgBEPVB9f/AN:o8ofKgIb7vU7cWFjI752zzCS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 8596)
      • cmd.exe (PID: 8576)
      • net.exe (PID: 8724)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • sunshine-windows-installer.exe (PID: 6264)
      • curl.exe (PID: 8136)
      • virtual_gamepad.exe (PID: 7260)
      • nefconw.exe (PID: 8328)
      • drvinst.exe (PID: 8392)

    • Uses ICACLS.EXE to modify access control lists

      • nsF140.tmp (PID: 5324)
      • cmd.exe (PID: 6200)

    • Executing commands from a ".bat" file

      • nsF22C.tmp (PID: 1372)
      • nsF3A4.tmp (PID: 3848)
      • nsF887.tmp (PID: 7744)
      • ns654C.tmp (PID: 8520)
      • ns7039.tmp (PID: 8992)

    • Starts application with an unusual extension

      • sunshine-windows-installer.exe (PID: 6264)

    • Starts CMD.EXE for commands execution

      • nsF22C.tmp (PID: 1372)
      • nsF3A4.tmp (PID: 3848)
      • nsF887.tmp (PID: 7744)
      • cmd.exe (PID: 7856)
      • ns654C.tmp (PID: 8520)
      • ns7039.tmp (PID: 8992)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6832)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7856)

    • Manipulates environment variables

      • powershell.exe (PID: 7988)

    • Application launched itself

      • cmd.exe (PID: 7856)

    • Drops a system driver (possible attempt to evade defenses)

      • nefconw.exe (PID: 8328)
      • virtual_gamepad.exe (PID: 7260)
      • msiexec.exe (PID: 3864)
      • drvinst.exe (PID: 8392)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8084)
      • sunshinesvc.exe (PID: 8764)

    • Process drops legitimate windows executable

      • virtual_gamepad.exe (PID: 7260)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7940)

    • The executable file from the user directory is run by the CMD process

      • virtual_gamepad.exe (PID: 7260)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 8576)
      • cmd.exe (PID: 9048)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • sunshine-windows-installer.exe (PID: 6264)

  • INFO

    • Checks supported languages

      • sunshine-windows-installer.exe (PID: 6264)

    • Create files in a temporary directory

      • sunshine-windows-installer.exe (PID: 6264)

    • Reads the computer name

      • sunshine-windows-installer.exe (PID: 6264)

    • Application launched itself

      • msedge.exe (PID: 6832)
      • msedge.exe (PID: 7140)

    • Manual execution by a user

      • msedge.exe (PID: 7140)
      • sunshine.exe (PID: 8288)

    • Manages system restore points

      • SrTasks.exe (PID: 5932)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3864)
      • msedge.exe (PID: 8868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:07:14 21:04:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.4
CodeSize: 35328
InitializedDataSize: 72192
UninitializedDataSize: 402432
EntryPoint: 0x4250
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
285
Monitored processes
155
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sunshine-windows-installer.exe msedge.exe no specs nsf140.tmp no specs conhost.exe no specs icacls.exe no specs msedge.exe no specs nsf22c.tmp no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs nsf3a4.tmp no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs msedge.exe no specs netsh.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs netsh.exe no specs msedge.exe no specs nsf887.tmp no specs conhost.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs curl.exe findstr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs curl.exe virtual_gamepad.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs ns654c.tmp no specs conhost.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sunshinesvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ns7039.tmp no specs conhost.exe no specs cmd.exe no specs sc.exe no specs sunshine.exe no specs conhost.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs ddprobe.exe no specs msedge.exe no specs msedge.exe no specs sunshine.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sunshine-windows-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
692"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2324 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6816 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1112\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exensF3A4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1372"C:\Users\admin\AppData\Local\Temp\nscC02D.tmp\nsF22C.tmp" "C:\Program Files\Sunshine\scripts\migrate-config.bat"C:\Users\admin\AppData\Local\Temp\nscC02D.tmp\nsF22C.tmpsunshine-windows-installer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nscc02d.tmp\nsf22c.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1768"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2420tools\ddprobe.exe 2 ""C:\Program Files\Sunshine\tools\ddprobe.exesunshine.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
2289696772
2684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2808"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6148 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2816"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=812 --field-trial-handle=2424,i,282595513251361007,5244243831868708966,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
3580tools\ddprobe.exe 4 ""C:\Program Files\Sunshine\tools\ddprobe.exesunshine.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
2289696772
Total events
14 453
Read events
14 384
Write events
60
Delete events
9

Modification events

(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:DisplayName
Value:
Sunshine
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:DisplayVersion
Value:
0.23.1
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:Publisher
Value:
LizardByte
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:UninstallString
Value:
"C:\Program Files\Sunshine\Uninstall.exe"
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:NoRepair
Value:
1
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:NoModify
Value:
1
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Sunshine\Sunshine.exe
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:HelpLink
Value:
https://sunshinestream.readthedocs.io/en/latest/about/installation.html
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:URLInfoAbout
Value:
https://app.lizardbyte.dev/Sunshine
(PID) Process:(6264) sunshine-windows-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sunshine
Operation:writeName:Contact
Value:
https://app.lizardbyte.dev/Sunshine/support
Executable files
48
Suspicious files
535
Text files
171
Unknown types
13

Dropped files

PID
Process
Filename
Type
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\UserInfo.dllexecutable
MD5:8E1998776FFD1D578A80D603C55721FC
SHA256:7616DE346EE28E4314D8A5BF67575C0010B1B07C93C6C29798F9106589BA25AE
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\zlib1.dllexecutable
MD5:66A3477A51E8B7D4586EDF4659CDE8D5
SHA256:CB7AB3788D10940DF874ACD97B1821BBB5EE4A91F3EEC11982BB5BF7A3C96443
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\shaders\directx\convert_yuv420_packed_uv_type0_ps.hlsltext
MD5:920BFD762632909D51768DF25483356C
SHA256:897BC37D0319B5400E142EE5D04C7DD260AF1071040B4D8F0BB6DCA90C510A3E
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\InstallOptions.dllexecutable
MD5:FF6CB85ADB441E639DC58948651D54D2
SHA256:BBD81555ABBFEFF33AACDC8C34C307C2EB680953C7F4C4C02B20A8FE10E88BD6
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\modern-header.bmpimage
MD5:92FCFB4F2E95D8BA0EC7DE564E62F68A
SHA256:1967D92ABD7EE2151CA9A50CEEF9210FDBF0023ECCEF294B2042F5FBBEE08067
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
6264sunshine-windows-installer.exeC:\Users\admin\AppData\Local\Temp\nscC02D.tmp\StartMenu.dllexecutable
MD5:3E60C0B440B1ECC21D956E83BCBA0976
SHA256:135E5A8272B9732D4B9A798B29ADF953B4FE4E802B3F6178896ADA530D4ECDFB
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\assets\apps.jsonbinary
MD5:4DEC1CF39B94CC2A310BEF765E607724
SHA256:6AA14F95E7BA22B05A06ACB24C077DF2B0959DE43C201A686A5EF5A628FD6DE5
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\sunshine.exeexecutable
MD5:5B255552807B3BD722FABA6A463D1A6A
SHA256:41C8C86D9E3C972263739DA84A7F755DB27C9BA66F20F00D0D8A782019E876A3
6264sunshine-windows-installer.exeC:\Program Files\Sunshine\tools\ddprobe.exeexecutable
MD5:663EADB7EC4C5E13D7EEE41FB1D3A379
SHA256:38D34C69E130EA11DECDE8CB43909D84F2EF6A0B58ECBEF58FDA7141153A645C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
122
DNS requests
116
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
748
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
whitelisted
748
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEE4o94a2bBo7lCzSxA63QqU%3D
unknown
whitelisted
748
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEQCL3A%2F%2FVHcvqtFzJz8jNiqv
unknown
whitelisted
748
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4360
SearchApp.exe
2.23.209.177:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.44.239.154
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.149
  • 2.23.209.154
  • 2.23.209.156
  • 2.23.209.179
  • 2.23.209.160
  • 2.23.209.141
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.143
  • 2.23.209.183
  • 2.23.209.133
  • 104.126.37.154
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.152
  • 104.126.37.146
  • 104.126.37.145
  • 104.126.37.170
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.133
  • 40.126.32.136
whitelisted
th.bing.com
  • 2.23.209.141
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.143
whitelisted
go.microsoft.com
  • 184.28.89.167
  • 23.218.210.69
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sunshine-windows-installer.exe