File name:

Setup_patched.exe

Full analysis: https://app.any.run/tasks/a7cb2e2d-6209-429c-8617-418cf5dfa1ca
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 15:29:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
MD5:

634699F44E0164A15070F6617EDD7656

SHA1:

115D09C17EB50D9CAAD096E1079D7356F191FBB9

SHA256:

5CB51DDFCE8C03D953EE418B31078F3C38D418BFDE227F680659685F94298571

SSDEEP:

98304:qGPxKPz8QpAbznPybjyBEj7ATlv0q2FfJiblEivczz3meAN29CB4WhVYOejrTcfd:zs5OMdo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Setup_patched.exe (PID: 6040)
      • VirtuServer128.exe (PID: 7152)

    • Steals credentials from Web Browsers

      • Setup_patched.exe (PID: 6040)

    • Executing a file with an untrusted certificate

      • hjksfk.exe (PID: 5436)
      • hjksfq.exe (PID: 4464)
      • DistriCompiler89.exe (PID: 6668)
      • DistriCompiler89.exe (PID: 3676)
      • DistriCompiler89.exe (PID: 5204)
      • VirtuServer128.exe (PID: 7152)
      • shark.exe (PID: 2340)

    • Known privilege escalation attack

      • dllhost.exe (PID: 5008)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6080)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Setup_patched.exe (PID: 6040)
      • hjksfk.exe (PID: 5436)
      • DistriCompiler89.exe (PID: 5204)

    • Potential Corporate Privacy Violation

      • Setup_patched.exe (PID: 6040)

    • Executable content was dropped or overwritten

      • Setup_patched.exe (PID: 6040)
      • hjksfq.exe (PID: 4464)
      • DistriCompiler89.exe (PID: 3676)
      • DistriCompiler89.exe (PID: 6668)
      • DistriCompiler89.exe (PID: 5204)
      • hjksfk.exe (PID: 5436)
      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4212)

    • Reads security settings of Internet Explorer

      • Setup_patched.exe (PID: 6040)
      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeUpdate.exe (PID: 4892)
      • hjksfq.exe (PID: 4464)

    • Drops 7-zip archiver for unpacking

      • DistriCompiler89.exe (PID: 6668)

    • Starts itself from another location

      • DistriCompiler89.exe (PID: 3676)

    • The process executes via Task Scheduler

      • shark.exe (PID: 2340)

    • Executes application which crashes

      • hjksfk.exe (PID: 5436)
      • shark.exe (PID: 2340)

    • Starts CMD.EXE for commands execution

      • hjksfk.exe (PID: 5436)

    • Process drops legitimate windows executable

      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4212)
      • MicrosoftEdgeUpdate.exe (PID: 4892)

    • Starts process via Powershell

      • powershell.exe (PID: 6668)

    • Starts POWERSHELL.EXE for commands execution

      • VirtuServer128.exe (PID: 7152)

    • Connects to unusual port

      • VirtuServer128.exe (PID: 7152)
      • shark.exe (PID: 2340)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 4892)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 4892)

    • Uses WMIC.EXE to obtain Windows Installer data

      • shark.exe (PID: 2340)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1012)

  • INFO

    • Executes as Windows Service

      • elevation_service.exe (PID: 6644)

    • Checks supported languages

      • Setup_patched.exe (PID: 6040)
      • elevation_service.exe (PID: 6644)
      • hjksfk.exe (PID: 5436)
      • DistriCompiler89.exe (PID: 6668)
      • DistriCompiler89.exe (PID: 3676)
      • DistriCompiler89.exe (PID: 5204)
      • 7za.exe (PID: 896)
      • VirtuServer128.exe (PID: 7152)
      • shark.exe (PID: 2340)
      • 7za.exe (PID: 856)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4212)
      • MicrosoftEdgeUpdate.exe (PID: 4892)
      • hjksfq.exe (PID: 4464)

    • Reads the machine GUID from the registry

      • Setup_patched.exe (PID: 6040)
      • 7za.exe (PID: 896)
      • VirtuServer128.exe (PID: 7152)
      • shark.exe (PID: 2340)

    • Reads the computer name

      • Setup_patched.exe (PID: 6040)
      • elevation_service.exe (PID: 6644)
      • hjksfq.exe (PID: 4464)
      • DistriCompiler89.exe (PID: 3676)
      • DistriCompiler89.exe (PID: 6668)
      • 7za.exe (PID: 896)
      • DistriCompiler89.exe (PID: 5204)
      • VirtuServer128.exe (PID: 7152)
      • 7za.exe (PID: 856)
      • shark.exe (PID: 2340)
      • MicrosoftEdgeUpdate.exe (PID: 4892)

    • Process checks computer location settings

      • Setup_patched.exe (PID: 6040)
      • hjksfq.exe (PID: 4464)
      • MicrosoftEdgeUpdate.exe (PID: 4892)

    • Creates files in the program directory

      • DistriCompiler89.exe (PID: 3676)
      • DistriCompiler89.exe (PID: 6668)
      • DistriCompiler89.exe (PID: 5204)
      • hjksfk.exe (PID: 5436)
      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4212)

    • The sample compiled with english language support

      • DistriCompiler89.exe (PID: 6668)
      • DistriCompiler89.exe (PID: 5204)
      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4212)
      • MicrosoftEdgeUpdate.exe (PID: 4892)

    • Create files in a temporary directory

      • DistriCompiler89.exe (PID: 6668)
      • DistriCompiler89.exe (PID: 5204)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5008)
      • WMIC.exe (PID: 1012)

    • Checks transactions between databases Windows and Oracle

      • 7za.exe (PID: 896)

    • Compiled with Borland Delphi (YARA)

      • hjksfk.exe (PID: 5436)

    • Checks proxy server information

      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeUpdate.exe (PID: 4892)
      • wermgr.exe (PID: 7144)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • hjksfk.exe (PID: 5436)
      • shark.exe (PID: 2340)

    • Reads the software policy settings

      • VirtuServer128.exe (PID: 7152)
      • MicrosoftEdgeUpdate.exe (PID: 4892)
      • shark.exe (PID: 2340)
      • wermgr.exe (PID: 7144)

    • Creates files or folders in the user directory

      • VirtuServer128.exe (PID: 7152)
      • wermgr.exe (PID: 7144)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 4892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:10:14 16:16:58+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.2
CodeSize: 11563008
InitializedDataSize: 16673280
UninitializedDataSize: 6517760
EntryPoint: 0x1140
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.9.0
ProductVersionNumber: 0.0.9.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: MPlayer is distributed under the terms of the GNU General Public License Version 2. Source code is available at http://www.mplayerhq.hu
FileDescription: MPlayer - The Movie Player
FileVersion: SVN-r32492-4.2.5
InternalName: Counter Counter
LegalCopyright: (C) 2000-2010 MPlayer Team
OriginalFileName: mplayer.exe
ProductName: MPlayer - The Movie Player
ProductVersion: SVN-r32492-4.2.5
SpecialBuild: http://oss.netfarm.it/mplayer-win32.php
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
45
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup_patched.exe chrome.exe no specs msedge.exe no specs elevation_service.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs hjksfk.exe hjksfq.exe districompiler89.exe districompiler89.exe 7za.exe no specs conhost.exe no specs CMSTPLUA districompiler89.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs werfault.exe no specs virtuserver128.exe slui.exe no specs 7za.exe no specs shark.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe wermgr.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs wmic.exe no specs conhost.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeSetup_patched.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856"C:\ProgramData\Iaclientv2\7za.exe" "C:\ProgramData\Iaclientv2\7za.exe" a -t7z "C:\Users\admin\AppData\Roaming\app.7z" C:C:\ProgramData\Iaclientv2\7za.exeDistriCompiler89.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
Modules
Images
c:\windows\system32\input.dll
c:\programdata\iaclientv2\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
896"C:\ProgramData\Iaclientv2\7za.exe" "C:\ProgramData\Iaclientv2\7za.exe" a -t7z "C:\Users\admin\AppData\Roaming\app.7z" C:C:\ProgramData\Iaclientv2\7za.exeDistriCompiler89.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
Modules
Images
c:\windows\system32\input.dll
c:\programdata\iaclientv2\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1012wmic csproduct get UUIDC:\Windows\SysWOW64\wbem\WMIC.exeshark.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\iphlpapi.dll
1052C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5436 -s 660C:\Windows\SysWOW64\WerFault.exehjksfk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1328C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2340 -s 528C:\Windows\SysWOW64\WerFault.exeshark.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2096C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5436 -s 156C:\Windows\SysWOW64\WerFault.exehjksfk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
17 205
Read events
17 154
Write events
49
Delete events
2

Modification events

(PID) Process:(4920) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
1
(PID) Process:(5112) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5112) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(660) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(660) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7152) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
1
(PID) Process:(3240) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
2
(PID) Process:(3240) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
3
(PID) Process:(4560) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
2
(PID) Process:(4560) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
3
Executable files
214
Suspicious files
25
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3240chrome.exeC:\Users\admin\AppData\Local\Temp\Cookiesbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
4920chrome.exeC:\Users\admin\AppData\Local\Temp\Login Databinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
2772chrome.exeC:\Users\admin\AppData\Local\Temp\Web Databinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
5204DistriCompiler89.exeC:\Users\admin\AppData\Local\Temp\F5F878D.tmp
MD5:
SHA256:
4464hjksfq.exeC:\Users\admin\DistriCompiler89.exeexecutable
MD5:9E90C7BA64A66D9AB4703AF006540193
SHA256:A519304C3BBA23EAE2045A85E01AAE44E6556B2F787966654B7209DB13CFA0C4
4464hjksfq.exeC:\Users\admin\balata.appbinary
MD5:B91B05B3D67760A786C8B1EFC5955BC3
SHA256:3BF2616347DA3CF6440536EE343CA7B44811E9D5F7307CFEF9BE54714AB8AF00
3676DistriCompiler89.exeC:\ProgramData\Iaclientv2\balata.appbinary
MD5:B91B05B3D67760A786C8B1EFC5955BC3
SHA256:3BF2616347DA3CF6440536EE343CA7B44811E9D5F7307CFEF9BE54714AB8AF00
5436hjksfk.exeC:\ProgramData\shark.exeexecutable
MD5:7019B60173E7DE285F19621945DEDF25
SHA256:25A375F5CBA3DCE4024BC78F7D4768A83CF09A64DDB971BD10C87FA97E4A5D65
4464hjksfq.exeC:\Users\admin\dx0.dllexecutable
MD5:693DFBB9B324E80B70660927CA1DEA69
SHA256:7C28D90E3484B566EE00ADAB4679A3D1C51F86F01560035D86C8F7788AC05234
4464hjksfq.exeC:\Users\admin\IconX.dllexecutable
MD5:F36412FC804A3D4B2236B59195232B16
SHA256:AF51DE13B16EE6EA6E09E59C4B2B32CBBA200F4A47A558B48E879C63D1AB1164
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
51
DNS requests
24
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6040
Setup_patched.exe
GET
104.21.45.251:80
http://h4.tykeblot.today/shark.bin
unknown
unknown
6040
Setup_patched.exe
GET
104.21.45.251:80
http://h4.tykeblot.today/sh.ext.bin
unknown
unknown
7152
VirtuServer128.exe
GET
200
18.66.21.194:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEk8qlS4%2B0YpYvbhdG8DOXyc%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.17
  • 40.126.32.72
  • 20.190.160.64
  • 20.190.160.20
  • 20.190.160.4
  • 40.126.32.138
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
6040
Setup_patched.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6040
Setup_patched.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6040
Setup_patched.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6040
Setup_patched.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES DNS Query to Commonly Actor Abused Online Service (data-seed-prebsc-1-s1 .binance .org)
7152
VirtuServer128.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (data-seed-prebsc-1-s1 .binance .org in TLS SNI)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES DNS Query to Commonly Actor Abused Online Service (data-seed-prebsc-2-s1 .binance .org)
2340
shark.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (data-seed-prebsc-2-s1 .binance .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup_patched.exe