File name:

imperiumsetup.exe

Full analysis: https://app.any.run/tasks/08d2affe-dbac-4266-8e96-1b4734b75df4
Verdict: Malicious activity
Analysis date: May 19, 2025, 18:54:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

AF8F96D6210AFCB7FC5DAB508E73D696

SHA1:

F74DC44A2B2853AC6280DF6968FD9DBB2B59D2FB

SHA256:

611E956DC9645991EEF48B366D4C5322B327886A040AB8FDC90D38C1A2B0C9B8

SSDEEP:

98304:ALVIF8P3n1BLHxtD59KEKjSvDHe0PgdbioEYfc+l+SjMPgyvq4DPvyH4FynqZuwX:0DrJDsy9B6JFh5On

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • imperiumsetup.tmp (PID: 6516)

    • Executable content was dropped or overwritten

      • imperiumsetup.exe (PID: 1628)
      • imperiumsetup.exe (PID: 2320)
      • imperiumsetup.tmp (PID: 6388)
      • tar.exe (PID: 5084)

    • Reads the Windows owner or organization settings

      • imperiumsetup.tmp (PID: 6388)

    • Application launched itself

      • Imperium.exe (PID: 732)

    • Starts CMD.EXE for commands execution

      • Imperium.exe (PID: 4120)

    • Process drops legitimate windows executable

      • tar.exe (PID: 5084)

    • The process drops C-runtime libraries

      • tar.exe (PID: 5084)

  • INFO

    • Process checks computer location settings

      • imperiumsetup.tmp (PID: 6516)

    • Checks supported languages

      • imperiumsetup.tmp (PID: 6516)
      • imperiumsetup.exe (PID: 2320)
      • imperiumsetup.tmp (PID: 6388)
      • imperiumsetup.exe (PID: 1628)
      • Imperium.exe (PID: 732)
      • Imperium.exe (PID: 4120)

    • Reads the computer name

      • imperiumsetup.tmp (PID: 6388)
      • imperiumsetup.exe (PID: 2320)
      • imperiumsetup.tmp (PID: 6516)
      • Imperium.exe (PID: 732)
      • Imperium.exe (PID: 4120)

    • Create files in a temporary directory

      • imperiumsetup.exe (PID: 2320)
      • imperiumsetup.exe (PID: 1628)
      • imperiumsetup.tmp (PID: 6388)

    • Creates files in the program directory

      • imperiumsetup.tmp (PID: 6388)

    • The sample compiled with english language support

      • imperiumsetup.tmp (PID: 6388)
      • tar.exe (PID: 5084)

    • Creates a software uninstall entry

      • imperiumsetup.tmp (PID: 6388)

    • Manual execution by a user

      • Imperium.exe (PID: 4040)
      • firefox.exe (PID: 2340)
      • WinRAR.exe (PID: 7936)
      • Imperium.exe (PID: 732)
      • firefox.exe (PID: 5600)
      • firefox.exe (PID: 1300)
      • firefox.exe (PID: 3620)
      • firefox.exe (PID: 1132)
      • firefox.exe (PID: 7764)

    • Reads the machine GUID from the registry

      • Imperium.exe (PID: 732)
      • Imperium.exe (PID: 4120)

    • Application launched itself

      • firefox.exe (PID: 2340)
      • firefox.exe (PID: 5640)
      • firefox.exe (PID: 5600)
      • firefox.exe (PID: 1300)
      • firefox.exe (PID: 3620)

    • Gets the hash of the file via CERTUTIL.EXE

      • certutil.exe (PID: 4212)

    • Creates files or folders in the user directory

      • Imperium.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:03 14:45:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 162304
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: ImperiumMC Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: ImperiumMC
ProductVersion: 1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
47
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start imperiumsetup.exe imperiumsetup.tmp no specs imperiumsetup.exe sppextcomobj.exe no specs slui.exe imperiumsetup.tmp imperium.exe no specs imperium.exe no specs imperium.exe conhost.exe no specs imperium.exe cmd.exe no specs certutil.exe no specs find.exe no specs find.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs cmd.exe no specs tar.exe icacls.exe no specs conhost.exe no specs winrar.exe no specs slui.exe firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
732"C:\Program Files (x86)\ImperiumMC\bin\Imperium.exe" C:\Program Files (x86)\ImperiumMC\bin\Imperium.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\imperiummc\bin\imperium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
812"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2616 -childID 12 -isForBrowser -prefsHandle 5628 -prefMapHandle 6460 -prefsLen 31782 -prefMapSize 244583 -jsInitHandle 1484 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4437ed6a-e586-463c-85db-81befeaf6002} 5640 "\\.\pipe\gecko-crash-server-pipe.5640" 164a9324850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1116C:\WINDOWS\system32\cmd.exe /c tar -xf "C:\Users\admin\AppData\Roaming\.ImperiumMC\runtime\mods.zip" -C "C:\Users\admin\AppData\Roaming\.ImperiumMC\runtime"C:\Windows\System32\cmd.exeImperium.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1132"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
HIGH
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
1300"C:\Program Files\Mozilla Firefox\firefox.exe" --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
1628"C:\Users\admin\AppData\Local\Temp\imperiumsetup.exe" C:\Users\admin\AppData\Local\Temp\imperiumsetup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ImperiumMC Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\imperiumsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2136C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2320"C:\Users\admin\AppData\Local\Temp\imperiumsetup.exe" /SPAWNWND=$602D2 /NOTIFYWND=$8034C C:\Users\admin\AppData\Local\Temp\imperiumsetup.exe
imperiumsetup.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
ImperiumMC Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\imperiumsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2340"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
Total events
26 040
Read events
26 014
Write events
26
Delete events
0

Modification events

(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.4.3
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\ImperiumMC
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\ImperiumMC\
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:Inno Setup: Icon Group
Value:
ImperiumMC
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:Inno Setup: Language
Value:
default
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:DisplayName
Value:
ImperiumMC version 1.0
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\ImperiumMC\unins000.exe"
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\ImperiumMC\unins000.exe" /SILENT
(PID) Process:(6388) imperiumsetup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImperiumMC_is1
Operation:writeName:DisplayVersion
Value:
1.0
Executable files
215
Suspicious files
258
Text files
153
Unknown types
2

Dropped files

PID
Process
Filename
Type
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\etc\ssl\ct_log_list.cnf.disttext
MD5:5B561A90362B8EB9127C792C3F5902E0
SHA256:F1C1803D13D1D0B755B13B23C28BD4E20E07BAF9F2B744C9337BA5866AA0EC3B
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\is-F3PDD.tmpexecutable
MD5:8BABE861396ABDA4558556B94A58BFF1
SHA256:C8587A47421981E31D4929227A7D97DA78A5A541382592140321AE0B29A3CAA7
2320imperiumsetup.exeC:\Users\admin\AppData\Local\Temp\is-TQT5U.tmp\imperiumsetup.tmpexecutable
MD5:FCC1F454EEF8753FA3DA146A82805582
SHA256:939C8FAFBDA58FD7E27591B9BD2017BF7BEB85706AAA6FD5AC146723776608AA
1628imperiumsetup.exeC:\Users\admin\AppData\Local\Temp\is-1UC93.tmp\imperiumsetup.tmpexecutable
MD5:FCC1F454EEF8753FA3DA146A82805582
SHA256:939C8FAFBDA58FD7E27591B9BD2017BF7BEB85706AAA6FD5AC146723776608AA
6388imperiumsetup.tmpC:\Users\admin\AppData\Local\Temp\is-7CF8T.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\etc\ssl\certs\ca-bundle.crttext
MD5:2D22D09AB7598075386ABC377041A93F
SHA256:73D34A874EB28B5E7BF2E721A7C1322A6847D5EE4F1044F721C40054DB8AA97E
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\etc\ssl\is-3AVH4.tmptext
MD5:E8AFC6A3F874E6D772B1C5902CE1E09E
SHA256:3A0C65FF954AFF207420846926D31D1B6056BE525A0F3D38DFF21F5B89F90688
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\etc\ssl\cert.pemtext
MD5:2D22D09AB7598075386ABC377041A93F
SHA256:73D34A874EB28B5E7BF2E721A7C1322A6847D5EE4F1044F721C40054DB8AA97E
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\etc\ssl\is-K7TLR.tmptext
MD5:E8AFC6A3F874E6D772B1C5902CE1E09E
SHA256:3A0C65FF954AFF207420846926D31D1B6056BE525A0F3D38DFF21F5B89F90688
6388imperiumsetup.tmpC:\Program Files (x86)\ImperiumMC\etc\ssl\certs\is-E5L96.tmptext
MD5:544CAD78AC902087121C9F92CAB994AA
SHA256:80F520FDFAE7ED96ECD10250BF164E13A27F8EDC403D07DB2BD6245A26F33C8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
161
DNS requests
213
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.148:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5640
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.69:80
http://r11.o.lencr.org/
unknown
whitelisted
5640
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
5640
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
5640
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.53:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.148:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.148
  • 23.48.23.146
  • 23.48.23.138
  • 23.48.23.162
  • 23.48.23.161
  • 23.48.23.143
  • 23.48.23.158
  • 23.48.23.149
  • 23.48.23.147
  • 23.48.23.183
  • 23.48.23.193
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.145
  • 23.48.23.169
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.3
  • 20.190.160.128
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.2
  • 20.190.160.132
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.imperiummc.hu
  • 172.67.194.251
  • 104.21.60.85
unknown
gateway.imperiummc.hu
  • 104.21.60.85
  • 172.67.194.251
unknown
cdn-client.imperiummc.hu
  • 172.67.194.251
  • 104.21.60.85
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
2196
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
2196
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
2196
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
2196
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
2196
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
5640
firefox.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
imperiumsetup.exe