File name:

≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍.7z

Full analysis: https://app.any.run/tasks/bd057f36-abfb-468a-a7c2-cc946aaaa59a
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 01:30:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

F7D9C2BDB46F09BF6CD739F047C1D1BE

SHA1:

F1C43D0A85020B352AB439AEFFFCF98A4B14953B

SHA256:

56327F385586623482307F95C4F1C1A178890DDCF7EDE2D0BE750BA66F6EA964

SSDEEP:

98304:cModBx7ASVgWn7UlVvDCfQ+BnIll39zX32iLdUsJ0hyo9SegYSd4gPTnMnDrYlPi:j9ZmwnFl18CTIBhWGV4gAIwg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)

    • AutoIt loader has been detected (YARA)

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

    • Actions looks like stealing of personal data

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

    • LUMMA mutex has been found

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 900)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 900)

    • The process drops Mozilla's DLL files

      • WinRAR.exe (PID: 900)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 900)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)

    • Executing commands from a ".bat" file

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)

    • Starts CMD.EXE for commands execution

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • cmd.exe (PID: 632)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)
      • cmd.exe (PID: 6676)

    • Get information on the list of running processes

      • cmd.exe (PID: 632)
      • cmd.exe (PID: 6676)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 632)
      • cmd.exe (PID: 6676)

    • Application launched itself

      • cmd.exe (PID: 632)
      • cmd.exe (PID: 6676)

    • Starts application with an unusual extension

      • cmd.exe (PID: 632)
      • cmd.exe (PID: 6676)

    • The executable file from the user directory is run by the CMD process

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 632)
      • cmd.exe (PID: 6676)

    • There is functionality for taking screenshot (YARA)

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • Figured.com (PID: 6228)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)
      • Figured.com (PID: 864)

    • Searches for installed software

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

  • INFO

    • The sample compiled with chinese language support

      • WinRAR.exe (PID: 900)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 900)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 900)

    • Checks supported languages

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • extrac32.exe (PID: 4172)
      • Figured.com (PID: 6228)
      • extrac32.exe (PID: 728)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)
      • Figured.com (PID: 864)

    • Create files in a temporary directory

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • extrac32.exe (PID: 4172)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)
      • extrac32.exe (PID: 728)

    • Reads the computer name

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • extrac32.exe (PID: 4172)
      • Figured.com (PID: 6228)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)
      • extrac32.exe (PID: 728)
      • Figured.com (PID: 864)

    • Process checks computer location settings

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 5244)
      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)

    • Creates a new folder

      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 680)

    • Reads mouse settings

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

    • Reads the machine GUID from the registry

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)

    • Reads the software policy settings

      • Figured.com (PID: 6228)
      • Figured.com (PID: 864)
      • slui.exe (PID: 6728)

    • Manual execution by a user

      • 𝙨𝙚𝙩𝙪𝙥.exe (PID: 1324)

    • Checks proxy server information

      • slui.exe (PID: 6728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2025:04:27 14:54:29+00:00
ArchivedFileName: H" 5??5?'?5?,?5?-?5??5?%?5?%? H" 5??5?? ~ 5?z?5؆?5ؕ?5ؖ?5ؑ? ~ 5?m?5ؖ?5؍?5؍?
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
31
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 𝙨𝙚𝙩𝙪𝙥.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA figured.com choice.exe no specs slui.exe 𝙨𝙚𝙩𝙪𝙥.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA figured.com choice.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
300cmd /c copy /b 296351\Figured.com + Distributor + Ca + Girlfriend + Pvc + Leave + Ware + Um + Poster + Breach 296351\Figured.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
632"C:\WINDOWS\System32\cmd.exe" /c copy Deaths.sldx Deaths.sldx.bat & Deaths.sldx.batC:\Windows\SysWOW64\cmd.exe𝙨𝙚𝙩𝙪𝙥.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
680cmd /c md 296351C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
728extrac32 /Y /E Nike.sldxC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
864Figured.com e C:\Users\admin\AppData\Local\Temp\296351\Figured.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
HIGH
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\296351\figured.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1324"C:\Users\admin\Desktop\𝙨𝙚𝙩𝙪𝙥.exe" C:\Users\admin\Desktop\𝙨𝙚𝙩𝙪𝙥.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\𝙨𝙚𝙩𝙪𝙥.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1568tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
13 836
Read events
13 816
Write events
20
Delete events
0

Modification events

(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍.7z
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(900) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
79
Suspicious files
22
Text files
71
Unknown types
0

Dropped files

PID
Process
Filename
Type
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\bin\StartupHelperexecutable
MD5:14934CACA84D5FE0288F27EFB31DCBF8
SHA256:7FA86147035627BAE39576BCBE619D045E94A48C4DB8CA131968C20BB4DE4A36
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\bin\sn.pngimage
MD5:58FCA4C7B881AAEEC8B8AA8DB72FE219
SHA256:DA1625BD11023E2CD79EDDFEB3544A4D0857A2A400D53E2D2CC6BD6154D484C5
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\gh11108.phptbinary
MD5:B34DD36BB30D3DAE8569D65786B04D28
SHA256:E44AF498A10448F49D1989C7B860B14B625706A41BF9089AEE1FF528D5481A31
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\bug53727.phpttext
MD5:4CB18FD7DBC051F51704A55F40FC46AA
SHA256:D25E246C4C818BA7EDC38F7DE4739F0EEED1FA697066F95D6D1BF20B1BB3E300
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\gammasection.ctext
MD5:26B7B652A28FC0D6EF3E31C41E82151B
SHA256:5C38B1919D7429475795E2AA032953A1ED1BCA2B17C168C0296FAD6D9CD73A9B
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\bug_42589.phpttext
MD5:01B882243AFCD6122EE0DE0C7EF65377
SHA256:665F34C5FA8DD1E00117BC99AFE17C324C69148090792233DDEB89596215AADE
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\arginfo_zpp_mismatch.inctext
MD5:8C7063E30A5E12EB572D4148719BE9DE
SHA256:A86DB661BA043DF3CD5CA95C4C6CDF97FA280C5E009C399CC792C1674E474DB2
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\007.phpttext
MD5:E22DC60FCFCD5DE579A93DF63A7AB4AB
SHA256:0C7A5402C08CE2AA597EED27DE0C912343FDAC21F3C476FB724A5C51C82A5433
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\Help\CP1250.TXTtext
MD5:B09EE6E7DCB0CBBEDE73AE9E54978D65
SHA256:D1FEACC027C8EE03574C9576500212DCC72BB262D7774AA878BD9D8295D09518
900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb900.5759\≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍\Config\frontcontroller24.phpttext
MD5:D45E845E4DE4A08148C428FF47B7D1D6
SHA256:778D250005AF5BB337C0C87B645360511D0F701430D6A8CC6645A817329930E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
55
DNS requests
19
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5392
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.64
  • 20.190.160.66
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.2
  • 40.126.32.133
  • 40.126.32.76
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
  • 2603:1030:800:5::bfee:a08d
whitelisted
241.42.69.40.in-addr.arpa
unknown
d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
wUGjcXIrMxYadnNeYOu.wUGjcXIrMxYadnNeYOu
  • 49.13.77.253
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
≈ 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 ≈ 𝐏𝐂 ~ 𝑺𝒆𝒕𝒖𝒑 ~ 𝑭𝒖𝒍𝒍.7z