File name:

Windows Activator by Goddy 5.0.rar

Full analysis: https://app.any.run/tasks/a596810e-7773-4aa4-80c5-26086fc943f0
Verdict: Malicious activity
Analysis date: September 02, 2024, 18:25:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

F4CE977B205649E0858FC14B359F00D1

SHA1:

286C92D1D250D9F607699A0F0DF1BE30D59B7D70

SHA256:

688BC9DD64653E06294C0A78AC70D28873867AC1620464ED63795E6AA3B04AC0

SSDEEP:

12288:korw+Cf09UbzIP8PejXSiMW9qSmghh5WG7f:kKw+Cf0mbzIMRiMW9qrghSG7f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses name of the domain to which a computer belongs via WMI (SCRIPT)

      • wscript.exe (PID: 6324)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Windows Activator by Goddy.exe (PID: 4680)
      • gkey.exe (PID: 7008)
      • cmd.exe (PID: 5172)
      • Windows Activator by Goddy.exe (PID: 3540)
      • gkey.exe (PID: 6168)
      • cmd.exe (PID: 5148)

    • The executable file from the user directory is run by the CMD process

      • gkey.exe (PID: 7008)
      • 7z2201.exe (PID: 1116)
      • gkey.exe (PID: 6168)

    • Executing commands from a ".bat" file

      • gkey.exe (PID: 7008)
      • gkey.exe (PID: 6168)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6736)
      • cmd.exe (PID: 2684)

    • Application launched itself

      • cmd.exe (PID: 5172)
      • cmd.exe (PID: 5148)

    • Get information on the list of running processes

      • cmd.exe (PID: 5172)
      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 1640)
      • cmd.exe (PID: 3112)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 5148)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5172)
      • cmd.exe (PID: 5148)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6016)
      • WMIC.exe (PID: 6656)
      • WMIC.exe (PID: 6796)
      • WMIC.exe (PID: 6400)
      • WMIC.exe (PID: 1932)

    • The process verifies whether the antivirus software is installed

      • cmd.exe (PID: 5172)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6000)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 6536)
      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 3540)

    • Hides command output

      • cmd.exe (PID: 6000)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 6536)
      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 3540)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5172)

    • Executable content was dropped or overwritten

      • 7z2201.exe (PID: 1116)
      • curl.exe (PID: 6576)

    • Creates/Modifies COM task schedule object

      • 7z2201.exe (PID: 1116)

    • Drops 7-zip archiver for unpacking

      • 7z2201.exe (PID: 1116)
      • curl.exe (PID: 6576)

    • Creates a software uninstall entry

      • 7z2201.exe (PID: 1116)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • curl.exe (PID: 6284)
      • curl.exe (PID: 6784)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6324)
      • wscript.exe (PID: 6872)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 6100)

    • Runs PING.EXE to delay simulation

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

    • Reads security settings of Internet Explorer

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 6872)
      • wscript.exe (PID: 6324)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 6100)

    • Reads the date of Windows installation

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 6872)
      • wscript.exe (PID: 6324)
      • wscript.exe (PID: 4364)
      • wscript.exe (PID: 6100)

    • The process executes VB scripts

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

  • INFO

    • Manual execution by a user

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 6744)
      • Windows Activator by Goddy.exe (PID: 3540)
      • Windows Activator by Goddy.exe (PID: 6396)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6592)
      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

    • Create files in a temporary directory

      • Windows Activator by Goddy.exe (PID: 4680)
      • gkey.exe (PID: 7008)
      • curl.exe (PID: 7160)
      • curl.exe (PID: 6576)
      • Windows Activator by Goddy.exe (PID: 3540)
      • gkey.exe (PID: 6168)

    • Checks supported languages

      • Windows Activator by Goddy.exe (PID: 4680)
      • gkey.exe (PID: 7008)
      • mode.com (PID: 1932)
      • curl.exe (PID: 6784)
      • 7z2201.exe (PID: 1116)
      • curl.exe (PID: 7160)
      • curl.exe (PID: 7020)
      • curl.exe (PID: 6576)
      • mode.com (PID: 3144)
      • Windows Activator by Goddy.exe (PID: 3540)
      • gkey.exe (PID: 6168)
      • curl.exe (PID: 6284)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7020)
      • WMIC.exe (PID: 6016)
      • WMIC.exe (PID: 6656)
      • WMIC.exe (PID: 6796)
      • WMIC.exe (PID: 1932)
      • WMIC.exe (PID: 6400)
      • WMIC.exe (PID: 1076)

    • Reads the computer name

      • curl.exe (PID: 6784)
      • curl.exe (PID: 6284)
      • curl.exe (PID: 7160)
      • curl.exe (PID: 7020)
      • curl.exe (PID: 6576)
      • 7z2201.exe (PID: 1116)
      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

    • Creates files in the program directory

      • 7z2201.exe (PID: 1116)

    • Reads Microsoft Office registry keys

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)

    • Process checks computer location settings

      • Windows Activator by Goddy.exe (PID: 4680)
      • Windows Activator by Goddy.exe (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 1193
UncompressedSize: 2733
OperatingSystem: Win32
ModifyDate: 2024:06:27 19:24:50
PackingMethod: Normal
ArchivedFileName: Windows Activator by Goddy 5.0\Bitte_um_Unterstuetzung.html
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
73
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs windows activator by goddy.exe no specs windows activator by goddy.exe conhost.exe no specs cmd.exe no specs gkey.exe no specs mode.com no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs curl.exe cmd.exe no specs curl.exe wmic.exe no specs cmd.exe no specs findstr.exe no specs svchost.exe wmic.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs curl.exe curl.exe 7z2201.exe curl.exe ping.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs sppextcomobj.exe no specs slui.exe no specs windows activator by goddy.exe no specs windows activator by goddy.exe conhost.exe no specs cmd.exe no specs gkey.exe no specs mode.com no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs ping.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nhC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
236net session C:\Windows\System32\net.exeWindows Activator by Goddy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll
736C:\WINDOWS\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 8" 1>nul )"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1076wmic path win32_LocalTime Get Day,Month,Year /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1116"C:\Users\admin\AppData\Local\Temp\7z2201.exe" /SC:\Users\admin\AppData\Local\Temp\7z2201.exe
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\temp\7z2201.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1164reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1640C:\WINDOWS\system32\cmd.exe /c tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nhC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1932mode 120, 31C:\Windows\System32\mode.comWindows Activator by Goddy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1932wmic os get captionC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1964tasklist /fi "imagename eq ekrn.exe" /fo csv /nhC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
17 560
Read events
17 513
Write events
47
Delete events
0

Modification events

(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Windows Activator by Goddy 5.0.rar
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6592) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1116) 7z2201.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path32
Value:
C:\Program Files (x86)\7-Zip\
(PID) Process:(1116) 7z2201.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files (x86)\7-Zip\
Executable files
9
Suspicious files
6
Text files
103
Unknown types
1

Dropped files

PID
Process
Filename
Type
6592WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6592.34067\Windows Activator by Goddy 5.0\Windows Activator by Goddy.execompressed
MD5:A99FF6B3A46D09197AA217FA0EECD8DA
SHA256:B212D71F422A7E17FED6E046E47A2337BA30DFAF63223D6CFA70E6F0751419BC
7008gkey.exeC:\Users\admin\AppData\Local\Temp\02M0PYPS.battext
MD5:2FA8921F764DCD0C06343FE7A892599D
SHA256:87C38F89B60880617CC295B79E93747A62ECC23E4A466DDDB054A4DD5A9B40AE
11167z2201.exeC:\Program Files (x86)\7-Zip\7-zip.chmchm
MD5:34208890A28244903621CD32CC3FBDFC
SHA256:4B6939646570C9DDB5BFD39B8503EED99D8C64337E72F6DD4F9DDCFB4AC76703
4680Windows Activator by Goddy.exeC:\Users\admin\AppData\Local\Temp\qb12D598.00\gkey.execompressed
MD5:0DD1B3A18E76392F22833C94B81C1614
SHA256:57EF2C28251F37858046E184690EF42EFF6D3B2B238A236843ECF3AE82552F77
6576curl.exeC:\Users\admin\AppData\Local\Temp\7z2201.exeexecutable
MD5:734E95CDBE04F53FE7C28EEAAAAD7327
SHA256:8C8FBCF80F0484B48A07BD20E512B103969992DBF81B6588832B08205E3A1B43
11167z2201.exeC:\Program Files (x86)\7-Zip\descript.iontext
MD5:EB7E322BDC62614E49DED60E0FB23845
SHA256:1DA513F5A4E8018B9AE143884EB3EAF72454B606FD51F2401B7CFD9BE4DBBF4F
11167z2201.exeC:\Program Files (x86)\7-Zip\Lang\af.txttext
MD5:FBBE51ACB879B525CC6B19D386697924
SHA256:3793FB69EE9FD958CF15A272B1ED54E4B3D75592836EBCD085DC0E7B1400D1CB
7008gkey.exeC:\Users\admin\AppData\Local\Temp\qb12D624.C2\cnftext
MD5:A6A4651EE111B5A171E45C4248E2F98C
SHA256:4EEAFFBFD77C858DE4845D80BB079DE90F1088A30DBEE85AE1377EEF4B6C8675
5172cmd.exeC:\Users\admin\AppData\Local\Temp\cnftext
MD5:A6A4651EE111B5A171E45C4248E2F98C
SHA256:4EEAFFBFD77C858DE4845D80BB079DE90F1088A30DBEE85AE1377EEF4B6C8675
11167z2201.exeC:\Program Files (x86)\7-Zip\History.txttext
MD5:B1206A5ABF93BC64601A3CAA2DFF47D4
SHA256:24A8A7C00F0BB8AC3096F58F53BD47FA392B8D220C1C43D372100BD692C68E5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
28
DNS requests
18
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2584
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6816
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2584
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6056
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6816
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6816
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6784
curl.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ipinfo.io
  • 34.117.59.81
shared
c.zeltitmp.net
  • 141.136.39.211
unknown
www.7-zip.org
  • 49.12.202.237
whitelisted
github.com
  • 140.82.121.3
shared
objects.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
shared

Threats

PID
Process
Class
Message
6784
curl.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
6784
curl.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6284
curl.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6284
curl.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows Activator by Goddy 5.0.rar